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Abstract. We present a theory of threads, interleaving of threads, and 
interaction between threads and services with features of molecular dy- 
namics, a model of computation that bears on computations in which 
dynamic data structures are involved. Threads can interact with services 
of which the states consist of structured data objects and computations 
take place by means of actions which may change the structure of the 
data objects. The features introduced include restriction of the scope 
of names used in threads to refer to data objects. Because that feature 
makes it troublesome to provide a model based on structural operational 
semantics and bisimulation, we construct a projective limit model for the 
theory. 
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1 Introduction 

A thread is the behaviour of a deterministic sequential program under execu- 
tion. Multi-threading refers to the concurrent existence of several threads in 
a program under execution. Multi-threading is the dominant form of concur- 
rency provided by contemporary programming languages such as Java [23] and 
C# [24]. We take the line that arbitrary interleaving, on which theories and 
models about concurrent processes such as ACP [8] , the 7r-calculus [30] and the 
Actor model [2] are based, is not the most appropriate abstraction when dealing 
with multi-threading. In the case of multi-threading, more often than not some 
deterministic interleaving strategy is used. In [13], we introduced a number of 
plausible deterministic interleaving strategies for multi-threading. We proposed 
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to use the phrase strategic interleaving for the more constrained form of inter- 
leaving obtained by using such a strategy. We also introduced a feature for inter- 
action of threads with services. The algebraic theory of threads, multi-threading, 
and interaction of threads with services is called thread algebra. 

In the current paper, we extend thread algebra with features of molecular 
dynamics, a model of computation that bears on computations in which dynamic 
data structures are involved. Threads can interact with services of which the 
states consist of structured data objects and computations take place by means of 
actions which may change the structure of the data objects. The states resemble 
collections of molecules composed of atoms and the actions can be considered to 
change the structure of molecules like in chemical reactions. We elaborate on the 
model described informally in [5]. The additional features include a feature to 
restrict the scope of names used in threads to refer to data objects. That feature 
turns thread algebra into a calculus. Although it occurs in quite another setting, 
it is reminiscent of restriction in the 7r-calculus [30] . 

In thread algebra, we abandon the point of view that arbitrary interleav- 
ing is the most appropriate abstraction when dealing with multi-threading. The 
following points illustrate why we find difficulty in taking that point of view: 
(a) whether the interleaving of certain threads leads to deadlock depends on the 
interleaving strategy used; (b) sometimes deadlock takes place with a particular 
interleaving strategy whereas arbitrary interleaving would not lead to deadlock, 
and vice versa. Demonstrations of (a) and (b) are given in [13] and [11], respec- 
tively. Arbitrary interleaving and interleaving according to some deterministic 
interleaving strategy are two extreme forms of interleaving, but nevertheless 
they are both abstractions for multi-threading. Even in the case where real 
multi-threading is interleaving according to an interleaving strategy with some 
non-deterministic aspects, there is no reason to simply assume that arbitrary 
interleaving is the most adequate abstraction. 

The thread-service dichotomy that we make in thread algebra is useful for 
the following reasons: (a) for services, a state-based description is generally more 
convenient than an action-based description whereas it is the other way round for 
threads; (b) the interaction between threads and services is of an asymmetric 
nature. Evidence of both (a) and (b) is produced in [11] by the established 
connections of threads and services with processes as considered in an extension 
of ACP with conditions introduced in [10]. 

We started the work on thread algebra with the object to develop a the- 
ory about threads, multi- threading and interaction of threads with services 
that is useful for (a) gaining insight into the semantic issues concerning the 
multi-threading related features found in contemporary programming languages, 
and (b) simplified formal description and analysis of programs in which multi- 
threading is involved. 

Although thread algebra is concerned with the constrained form of inter- 
leaving found in multi-threading as provided by contemporary programming 
languages, not all relevant details of multi-threading as provided by those lan- 
guages can be modelled with thread algebra. The details concerned come up 
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where multi-threading is adjusted to the object-orientation of those languages. 
It gives rise to a form of thread forking where thread forking is divided into creat- 
ing a thread object and starting the execution of the thread associated with the 
created object. Setting up a framework in which these details can be modelled 
as well is the main objective with which we have extended thread algebra with 
features of molecular dynamics. The form of thread forking mentioned above 
is modelled in this paper using the thread calculus developed. The feature to 
restrict the scope of names used in threads to refer to data objects turns out to 
be indispensable when modelling this form of thread forking. 

The construction of a model for the full thread calculus developed in this 
paper by means of a structural operational semantics and an appropriate version 
of bisimilarity is troublesome. This is mainly due to the feature to restrict the 
scope of names used in threads to refer to data objects. In fact, this feature 
complicates matters to such an extent that the structural operational semantics 
would add only marginally to a better understanding and the appropriate version 
of bisimilarity would be difficult to comprehend. Therefore, we provide instead 
a projective limit model. In process algebra, a projective limit model has been 
given for the first time in [8] . Following [27] , we make the domain of the projective 
limit model into a metric space to show, using Banach's fixed point theorem, that 
operations satisfying a guardedness condition have unique fixed points. Metric 
spaces have also been applied by others in concurrency theory, either to establish 
uniqueness results for recursion equations [3] or to solve domain equations for 
process domains [4] . We also determine the position in the arithmetical hierarchy 
of the equality relation in the projective limit model. 

Thread forking is inherent in multi-threading. However, we will not introduce 
thread interleaving and thread forking combined. Thread forking is presented at 
a later stage as an extension. This is for expository reasons only. The formulations 
of many results, as well as their proofs, would be complicated by introducing 
thread forking at an early stage because the presence of thread forking would 
be accountable to many exceptions in the results. In the set-up in which thread 
forking is introduced later on, we can simply summarize which results need to 
be adapted to the presence of thread forking and how. 

Thread algebra is a design on top of an algebraic theory of the behaviour of 
deterministic sequential programs under execution introduced in [9] under the 
name basic polarized process algebra. Prompted by the development of thread al- 
gebra, basic polarized process algebra has been renamed to basic thread algebra. 

Dynamic data structures modelled using molecular dynamics can straightfor- 
wardly be implemented in programming languages ranging from PASCAL [38] 
to C# [24] through pointers or references, provided that fields are not added or 
removed dynamically. Using molecular dynamics, we need not be aware of the 
existence of the pointers used for linking data. The name moleciilar dynamics 
refers to the molecule metaphor used above. By that, there is no clue in the 
name itself to what it stands for. Remedying this defect, the recent upgrade of 
molecular dynamics presented in [15] is called data linkage dynamics. Chemi- 
cal abstract machines [19] are also explained using a molecule metaphor. How- 



3 



ever, molecular dynamics is concerned with the structure of molecule-resembling 
data, whereas chemical abstract machines are concerned with reaction between 
molecule-resembling processes. 

We can summarize the main contributions of this paper as follows: 

1. the extension of thread algebra with features of molecular dynamics, includ- 
ing operators to restrict the scope of names used in molecular dynamics; 

2. the modelling of the form of thread forking found in contemporary program- 
ming languages such as Java and C# in the resulting thread calculus; 

3. the construction of a projective limit model for the thread calculus; 

4. the result that equality in the projective limit model is a n"-relation. 

The body of this paper consists of two parts. The first part (Sections 2-11) 
is concerned with the thread calculus in itself. To bring structure in the thread 
calculus, it is presented in a modular way. The second part (Sections 12-18) is 
concerned with the projective limit model for the thread calculus. 

The first part is organized as follows. First, we review basic thread algebra 
(Section 2). Then, we extend basic thread algebra to a theory of threads, inter- 
leaving of threads and interaction of threads with services (Sections 3 and 4), 
and introduce recursion in this setting (Section 5). Next, we propose a state- 
based approach to describe services (Section 6) and use it to describe services 
for molecular dynamics (Section 7). After that, we introduce a feature to restrict 
the scope of names used in threads to refer to data objects (Section 8). Following 
this, we introduce the approximation induction principle to reason about infinite 
threads (Section 9). Finally, we introduce a basic form of thread forking (Sec- 
tion 10) and illustrate how the restriction feature can be used to model a form 
of thread forking found in contemporary programming languages (Section 11). 

The second part is organized as follows. First, we construct the projective 
limit model for the thread calculus without thread forking in two steps (Sec- 
tions 12, 13, and 14). Then, we show that recursion equations satisfying a guard- 
edness condition have unique solutions in this model (Section 15). Next, we de- 
termine the position in the arithmetical hierarchy of the equality relation in 
this model (Section 16). After that, we outline the adaptation of the projective 
limit model to thread forking (Section 17) and dwell briefly on the behavioural 
equivalence of programs from a simple program notation with support of thread 
forking in the resulting model (Section 18). 

The proofs of the theorems and propositions for which no proof is given in 
this paper can be found in [14]. In Sections 13-15, some familiarity with metric 
spaces is assumcid. The definitions of all notions concerning metric spaces that are 
assumed known in those sections can be found in most introductory textbooks on 
topology. We mention [21] as an example of an introductory textbook in which 
those notions are introduced in an intuitively appealing way. 

2 Basic Thread Algebra 

In this section, we review BTA (Basic Thread Algebra), introduced in [9] under 
the name BPPA (Basic Polarized Process Algebra). BTA is a form of process 
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Table 1. Axiom of BTA 



a; < tau > J/ = a; < tau > a; Tl 



algebra which is tailored to the description of the behaviour of deterministic 
sequential programs under execution. 

In BTA, it is assumed that a fixed but arbitrary set A of basic actions, with 
tau ^ A, has been given. Besides, tau is a special basic action. We write ^tau for 
A U {tau}. A thread performs basic actions in a sequential fashion. Upon each 
basic action performed, a reply from the execution environment of the thread 
determines how it proceeds. The possible replies are T and F. Performing tau, 
which is considered performing an internal action, always leads to the reply T. 

The signature of BTA consists of the following constants and operators: 

— the deadlock constant D; 

— the termination constant S; 

— for each a e Aau) a binary postconditional composition operator _ < a > _ . 

Throughout the paper, we assume that there is a countably infinite set of vari- 
ables, including x,y, z,xi,Xi,X2,X2, .... Terms over the signature of BTA are 
built as usual (see e.g. [33,37]). Terms that contain no variables are called closed 
terms. We use infix notation for postconditional composition. We introduce ac- 
tion prefixing as an abbreviation: a o p, where p is a term over the signature of 
BTA, abbreviates p<a>p. 

The thread denoted by a closed term of the form p<a>q will first perform 
a, and then proceed as the thread denoted by p if the reply from the execution 
environment is T and proceed as the thread denoted by q if the reply from the 
execution environment is F. The threads denoted by D and S will become inactive 
and terminate, respectively. 

BTA has only one axiom. This axiom is given in Table 1. Using the abbrevia- 
tion introduced above, axiom Tl can be written as follows: a; < tau > y = tau o a;. 

Henceforth, we will write BTA(j4) for BTA with the set of basic actions A 
fixed to be the set A. 

As mentioned above, the behaviour of a thread depends upon its execution 
environment. Each basic action performed by the thread is taken as a command 
to be processed by the execution environment. At any stage, the commands 
that the execution environment can accept depend only on its history, i.e. the 
sequence of commands processed before and the sequence of replies produced 
for those commands. When the execution environment accepts a command, it 
will produce a reply value. Whether the reply is T or F usually depends on 
the execution history. However, it may also depend on external conditions. For 
example, when the execution environment accepts a command to write a file to 
a memory card, it will usually produce a positive reply, but not if the memory 
card turns out to be write-protected. 

In the structural operational semantics of BTA, we represent an execution 
environment by a function p : {Ax {T, F})* — > V{A x {T, F}) that satisfies 
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Table 2. Transition rules of BTA 



Si 



Dt 



(x<taii > y,p) {x,p) 



xi xl 
xl xl 



(«,T)€p(()) 



{x<a>y,p) A {y,£ p) 



(«,F)€p(()) 



the following condition: (a, 6) ^ p{a) p{a ^ ((a, 6))) = for all a G A, 

b e {T, F} and a £ {A x {T, F})*.^ Wc write £ for the set of all those func- 
tions. Given an execution environment p G £ and a basic action a € A, the 
derived execution environment of p after processing a with a positive reply, 
written is defined by p{a) = p{{ia, T)} ^ a); and the derived execution 

environment of p after processing a with a negative reply, written -S- p, is defined 



The following transition relations on closed terms over the signature of BTA 
are used in the structural operational semantics of BTA: 

— a binary relation (_, p) (-j p') for each a € ^tau and p, p' e £\ 

— a unary relation _ J,; 

— a unary relation _ |; 

— a unary relation _ |. 

The four kinds of transition relations are called the action step, termination, 
deadlock, and termination or deadlock relations, respectively. They can be ex- 
plained as follows: 

~ {P^P) {p\ P')' in execution environment p, thread p can perform action a 
and after that proceed as thread p' in execution environment p'; 

— p l'. thread p cannot but terminate successfully; 

— pV- thread p cannot but become inactive; 

— pi', thread p cannot but terminate successfully or become inactive. 

The termination or deadlock relation is an auxiliary relation needed when we 
extend BTA in Section 3. 

The structural operational semantics of BTA is described by the transition 
rules given in Table 2. In this table a stands for an arbitrary action from A. 

^ Wc write D* for the set of all finite sequences with elements from set D, and 
for the set of all non-empty finite sequences with elements from set D. We write ( ) 
for the empty sequence, (d) for the sequence having d as sole element, and a ^ f3 
for the concatenation of finite sequences a and /3. We assume the usual laws for 
concatenation of finite sequences. 



by £p(a) = p(((a,F))-a). 
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Bisimulation equivalence is defined as follows. A bisimulation is a symmetric 
binary relation B on closed terms over the signature of BTA such that for all 

closed terms p and q: 

— if B{p,q) and {p, p) {p',p'), then there is a q' such that {q, p) {q' ^ p') 
and B{p',q'); 

— if B{p, q) and p |, then q J.; 

— if B{p, q) and p t, then g f. 

Two closed terms p and q are bisimulation equivalent, written p t± q, if there 
exists a bisimulation B such that B{p,q). 

Bisimulation equivalence is a congruence with respect to the postconditional 
composition operators. This follows immediately from the fact that the transition 
rules for these operators are in the path format (see e.g. [1]). The axiom given 
in Table 1 is sound with respect to bisimulation equivalence. 

3 Strategic Interleaving of Threads 

In this section, we take up the extension of BTA to a theory about threads 
and multi-threading by introducing a very simple interleaving strategy. This 
interleaving strategy, as various other plausible interleaving strategies, was first 
formalized in an extension of BTA in [13]. 

It is assumed that the collection of threads to be interleaved takes the form 
of a sequence of threads, called a thread vector. Strategic interleaving operators 
turn a thread vector of arbitrary length into a single thread. This single thread 
obtained via a strategic interleaving operator is also called a multi-thread. For- 
mally, however multi-threads are threads as well. 

The very simple interleaving strategy that we introduce here is called cyclic 
interleaving.'^ Cyclic interleaving basically operates as follows: at each stage of 
the interleaving, the first thread in the thread vector gets a turn to perform a 
basic action and then the thread vector undergoes cyclic permutation. We mean 
by cyclic permutation of a thread vector that the first thread in the thread vector 
becomes the last one and all others move one position to the left. If one thread 
in the thread vector deadlocks, the whole does not deadlock till all others have 
terminated or deadlocked. An important property of cyclic interleaving is that 
it is fair, i.e. there will always come a next turn for all active threads. Other 
plausible interleaving strategies are treated in [13]. They can also be adapted 
to the features of molecular dynamics that will be introduced in the current 
paper. 

In order to extend BTA to a theory about threads and multi- threading, we 
introduce the unary operator ||. This operator is called the strategic interleaving 
operator for cyclic interleaving. The thread denoted by a closed term of the 
form 1 1 (a) is the thread that results from cyclic interleaving of the threads in the 
thread vector denoted by a. 

The axioms for cyclic interleaving are given in Table 3. In CSI3, the auxiliary 

^ Implementations of the cyclic interleaving strategy axe usually called round-robin 
schedulers. 
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Table 3. Axioms for cyclic interleaving 



11(0) = s csii 

||((S)-a) = ||(a) CSI2 

||({D)-a)=SD(||(a)) CSI3 

||({tau ox) ^ a) = tau o ||(a ^ (x)) CSI4 

\\{{x<a>y)^a) = \\{a^ {x))<a> \\{a^{y}) CSI5 

Table 4. Axioms for deadlock at termination 

Sd(S) = D S2D1 
Sd(D) = D S2D2 
SD(tau o x) = tau o SD(a;) S2D3 



Sd{x < o > y) = SD(a;) < o > Soiy) S2D4 



deadlock at termination operator Sd is used to express that in the event of 
deadlock of one thread in the thread vector, the whole deadlocks only after all 
others have terminated or deadlocked. The thread denoted by a closed term of 
the form Sp (p) is the thread that results from turning termination into deadlock 
in the thread denoted by p. The axioms for deadlock at termination appear in 
Table 4. In Tables 3 and 4, a stands for an arbitrary action from A. 

Henceforth, we will write TA for BTA extended with the strategic interleaving 
operator for cyclic interleaving, the deadlock at termination operator, and the 
axioms from Tables 3 and 4, and we will write TA{A) for TA with the set of 
basic actions A fixed to be the set A. 

Example 1. The following equation is easily derivable from the axioms of TA: 
||(((oi o S) < ai > K o S)) r. {(a'2 o S) < 02 > K ° S))) 

= {{a[ o a2 o S) < a2 > (ai o 03 o S)) < ai > {{a'( o 03 o S) < 02 > {a'{ o 03 o S)) . 

This equation shows clearly that the threads denoted by (a[ o S) ^ ai \> (a" o S) 
and o S) < 02 > (02 o S) are interleaved in a cyclic manner: first the first thread 
performs a\, next the second thread performs 02, next the first thread performs 
a'l or a" dc;pending upon the reply on ai , next the second thread performs a'2 or 
02 depending upon the reply on 02. 

We can prove that each closed term over the signature of TA can be reduced 
to a closed term over the signature of BTA. 

Theorem 1 (Elimination). For all closed terms p over the signature of TA, 
there exists a closed term q over the signature of BTA such thatp = q is derivable 

from the axioms of TA. 

The following proposition, concerning the cyclic interleaving of a thread vec- 
tor of length 1, is easily proved using Theorem 1. 
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Table 5. Transition rules for cyclic interleaving and deadlock at termination 



m^i) - ■ • • - (^fc+i> - «),p> ^ (II (« - (4+i»,p') "° 

xi|,...,a:fc|,a;!T,(a:;fc+i,P> (x'fc+i.p') ^ _^ ^ 

- ... - (x.+i) - a),p) ^ (||(a - (D> - (x;,+i»,p'> " ^° 

a;i i, . . . jXfc J. xi I, . . . jXfc |,a;( t 

(fc > Z > 0) 

||((xi>-...-{xfc))i ||((xi)-...-(xO)T 

(x,p) {x',p') xl 

(SD(.r)./;) ^ {SD(.r').//) Sd(t) [ 



Proposition 1. For all closed terms p over the signature o/TA, the equation 
\\{{p)) =P is derivable from the axioms of TA. 

The equation ||((p)) = p from Proposition 1 expresses the obvious fact that in 
the cyclic interleaving of a thread vector of length 1 no proper interleaving is 
involved. 

The following arc useful properties of the deadlock at termination operator 
which are proved using Theorem 1 as well. 

Proposition 2. For all closed terms pi,. . ■ ,Pn over the signature of TA, the 
following equations are derivable from the axioms of TA: 

Sd(||((Pi) - ... - iPn))) = ||((Sd(Pi)> - ... - (Sobn))) , (1) 

Sd(Sd(Pi)) = Sd(pi) . (2) 

The structural operational semantics of TA is described by the transition 
rules given in Tables 2 and 5. In Table 5, a stands for an arbitrary action from 

.Atau- 

Bisimulation equivalence is also a congruence with respect to the strategic 
interleaving operator for cyclic interleaving and the deadlock at termination 
operator. This follows immediately from the fact that the transition rules for 
TA constitute a complete transition system specification in the relaxed panth 
format (see e.g. [29]). The axioms given in Tables 3 and 4 are sound with respect 
to bisimulation equivalence. 

We have taken the operator || for a unary operator of which the operand 
denotes a sequence of threads. This matches well with the intuition that an 
interleaving strategy such as cyclic interleaving operates on a thread vector. We 
can look upon the operator || as if there is actually an n-ary operator, of which 
the operands denote threads, for every n G N. From Section 12, we will freely 
look upon the operator || in this way for the purpose of more concise expression 
of definitions and results concerning the projective limit model for the thread 
calculus presented in this paper. 
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4 Interaction between Threads and Services 



A thread may make use of services. That is, a thread may perform certain actions 
for the purpose of having itself affected by a service that takes those actions as 
commands to be processed. At completion of the processing of an action, the 
service returns a reply value to the thread. The reply value determines how 
the thread proceeds. In this section, we extend TA to a theory about threads, 
multi-threading, and this kind interaction bcrtwcen threads and services. 

It is assumed that a fixed but arbitrary set of foci T and a fixed but arbitrary 
set of methods M. have been given. For the set of basic actions .4, we take the 
set FM = {f.m \ f ^ J-'.m, E A4}. Each focus plays the role of a name of a 
service provided by the execution environment that can be requested to process 
a command. Each method plays the role of a command proper. Performing a 
basic action f.m is taken as making a request to the service named / to process 
the command m. 

In order to extend TA to a theory about threads, multi-threading, and the 
above-mentioned kind of interaction between threads and services, wc introduce, 
for each f G J^, a binary thread- service composition operator - // _. The thread 
denoted by a closed term of the form p /f H is the thread that results from 
processing all basic actions performed by the thread denoted by p that are of 
the form f.m by the service denoted by H. On processing of a basic action of 
the form f.m, the resulting thread performs the action tau and proceeds on the 
basis of the reply value returned to the thread. 

A service may be unable to process certain commands. If the processing of 
one of those commands is requested by a thread, the request is rejected and the 
thread becomes inactive. In the representation of services, an additional reply 
value R is used to indicate that a request is rejected. 

A service is represented by a function H : {T, F, R} satisfying H{a) = 

R =^ H{a (m)) = R for all a £ and m, e M. This function is called the 
reply function of the service. We write TU^ for the set of all reply functions. Given 
a reply function H G and a method m G ^A, the derived reply function of 
H after processing m, written -^H, is defined by -^H{a) = H{{m) ^a). 

The connection between a reply function H and the service represented by 
it can be understood as follows: 

— if H{{m)) ^ R, the request to process command m is accepted by the service, 
the reply is H{{m)), and the service proceeds as ^ff: 

— if H{{m)) = R, the request to process command m is rejected by the service 
and the service proceeds as a service that rejects any request. 

Henceforth, we will identify a reply function with the service represented by it. 

The axioms for the thread-service composition operators are given in Table 6. 
In this table, / and g stand for arbitrary foci from and m stands for an 
arbitrary method from M.. Axioms TSC3 and TSC4 express that the action tau 
and actions of the form g.m, where f ^ g, are not processed. Axioms TSC5 and 
TSC6 express that a thread is affected by a service as described above when 
an action of the form f.m performed by the thread is processed by the service. 
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Table 6. Axioms for thread-service composition 



S/fH = S TSCl 

D/f H = D TSC2 

(tau ox) /f H = tau o (a; // H) TSC3 

{x<g.m>y)/fH={x/fH)<g.m>{y/fH) \f f ^ g TSC4 



{x < f.m >y)/fH = tau o {x /j £^H) if H{{rn)) = T TSC5 

{x < f.m >y)/fH = tau o {y /f £^H) if H{{m)) = F TSC6 

{x <f.m>y)/fH = D if H{(m)) = R TSC7 



Axiom TSC7 expresses that deadlock takes place when an action to be processed 
is not accepted. 

Henceforth, we write TA*'''' for TA{FM) extended with the thread-service 
composition operators and the axioms from Table 6. 

Example 2. Let m, to', m" G A4, and let if be a service such that H{a ^ (to)) = 
T if #m'{a) > 0, H{a ^ (to)) = F if < 0, and H{a ^ (to')) = T, for all 

a G ^4*. Here #m'{oi) denotes the number of occurrences of to' in a. Then the 
following equation is easily derivable from the axioms of TA*^'^: 

(/.to' o ((/'.to' o S) < /.TO > (/".to" o S))) /fH = tau o tau o f.m' o 5 . 

This equation shows clearly how the thread denoted by /.to'o ((/'.to'oS) < f.m > 
(/".to," o S)) is affected by service H: on the processing of f.m' and f.m,, these 
basic actions are turned into tau, and the reply value returned by H after the 
processing of f.m makes the thread proceed with performing f.m'. 

We can prove that each closed term over the signature of TA*^'^ can be reduced 
to a closed term over the signature of BTA(FM). 

Theorem 2 (Elimination). For all closed terms p over the signature o/TA***'^, 
there exists a closed term q over the signature of BTA(i^M) such that p = q is 
derivable from the axioms of TA*^'^ . 

The following are useful properties of the deadlock at termination operator 
in the presence of both cyclic interleaving and thread-service composition which 

are proved using Theorem 2. 

Proposition 3. For all closed terms pi, . . . ,Pn over the signature o/TA**"^, the 



following equations are derivable from the axioms of TA ^'^ : 

Sd(||((Pi) - ... - {Pn))) = ||((Sd(Pi)) - ... - (SD(Pn))) , (1) 

Sd(Sd(pi))=Sd(pi), (2) 

Sd(pi // H) = Sd(pi) // H . (3) 
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Table 7. Transition rules for thread-service composition 



{x,p) {x',p') 



{x,p) 



g.m I I I 



,P) 



{x/fH,p)^{x'/fH,p') {x/fH,p) 



{x'/fH,p') 



{x,p)^{x',p') 



(x/fH,p)^{x'/f£,H,p') 



H{{m})^R, {f.m,H{{m)))ep{{}) 



{x,p)^{x',p') 
x/fH^ 



H{(m)) = R 



x/fHl x/fH^ 



The structural operational semantics of TA is described by the transition 
rules given in Tables 2, 5 and 7. In Tabic 7, / and g stand for arbitrary foci from 
and m stands for an arbitrary method from M. 

Bisimulation equivalence is also a congruence with respect to the thread- 
service composition operators. This follows immediately from the fact that the 
transition rules for these operators are in the path format. The axioms given in 
Table 6 are sound with respect to bisimulation equivalence. 

Leaving out of consideration that the use operators introduced in [13] support 
special actions for testing whether commands will be accepted by services, those 
operators are the same as the thread-service composition operators introduced 
in this section. 

We end this section with a precise statement of what we mean by a regular 
service. Let H e TZF. Then the set A(ff) C is inductively defined by the 
following rules: 

-He A{H); 

- if m e and if' e A{H), then ^H' G A{H). 

Wc say that _ff is a regular service if A{H) is a finite set. 

In Section 5, we need the notion of a regular service in Proposition 6. In the 
state-based approach to describe services that will be introduced in Section 6, a 
service can be described using a finite set of states if and only if it is regular. 



5 Recursion 

Wc proceed to recursion in the current setting. In this section, T stands for cither 
BTA, TA, TA*"'^ or TC^d (TC^d will be introduced in Section 8). We extend 
T with recursion by adding variable binding operators and axioms concerning 
these additional operators. Wc will write T + REC for the resulting theory. 

For each variable x, we add a variable binding recursion operator fix^; to the 
operators of T. 

Let t be a term over the signature of T + REC. Then an occurrence of a 
variable a; in f is free if the occurrence is not contained in a subterm of the form 



12 



Table 8. Axioms for recursion 



fix^it) =t[rix^{t)/x] RECl 
y = t[y/x] y = fixx(t) if x guarded in t REC2 
fix^(a;) = D REC3 



f\xx{t'). A variable x is guarded in t if each free occurrence of x in t is contained 
in a subtcrm of the form t' <a>t" . 

Let t be a term over the signature of T + REC such that f ix^; {t) is a closed 
term. Then f'K^it) stands for a solution of the equation x = t. We are only 
interested in models of T + REC in which x = t has a unique solution if x is 
guarded in If a; is unguarded in t, then D is always one of the solutions of 
X = t. We stipulate that fixa;(t) stands for D if a; is unguarded in t. 

Wc add the axioms for recursion given in Tabic 8 to the axioms of T. In this 
table, t stands for an arbitrary term over the signature of T + REC. The side- 
condition added to REC2 restricts the terms for which t stands to the terms in 
which X is guarded. For a fixed t such that fixj;(t) is a closed term, RECl expresses 
that fixa;(t) is a solution oi x = t and REC2 expresses that this solution is the 
only one if x is guarded in t. REC3 expresses that ^\y.x{x) is the non- unique 
solution D of the equation x = x. 

Example 3. Let m,m' € Ai, and let iJ be a service such that H{a ^ (m)) — T 
if #m{oi) > 3, and H{a ^ (m)) = F if #to(q) < 3. Here #m{oi) denotes the 
number of occurrences of m in a. Then the following equation is easily derivable 
from the axioms of TA^'^^+REC: 

fixa,((/'.m' o S) < f.m >x)/fH = tau o tau o tau o tau o f'.m' o S . 

This equation shows clearly that the thread denoted by fixx((/'.m'oS) < f.m >x) 
performs f.m repeatedly until the reply from service H is T. 

Let t and t' be terms over the signature of T + REC such that f ix^; (t) and 
fixj,(i') are closed terms and t = t' is derivable by either applying an axiom of T 
in either direction or axiom RECl from left to right. Then it is straightforwardly 
proved, using the necessary and sufficient condition for preservation of solutions 
given in [32], that x = t and x = t' have the same set of solutions in any model 
of T. Hence, if x = t has a unique solution, then x = t' has a unique solution 
and those solutions are the same. This justifies a weakening of the side-condition 
of axiom REC2 in the case where fixa;(t) is a closed term. In that case, it can 
be replaced by "x is guarded in some term t' for which t = t' is derivable by 
applying axioms of T in either direction and/or axiom RECl from left to right". 

Theorem 1 states that the strategic interleaving operator for cyclic interleav- 
ing and the deadlock at termination operator can be eliminated from closed terms 
over the signature of TA. Theorem 2 states that beside that the thread-service 
composition operators can be eliminated from closed terms over the signature of 
rp^tsc -pjjggg theorems do not state anything concerning closed terms over the 
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Table 9. Transition rules for recursion 



{t[fix4t)/x],p)^(x',p'} 

(fix4t),p>^(x',p') 



t[r\xa,{t)/x]i 

fix.,(i)i 



fix^(i)T 



signature of TA+REC or closed terms over the signature of TA'^^'^+REC. The 
following three propositions concern the case where the operand of the strategic 
interleaving operator for cyclic interleaving is a sequence of closed terms over 
the signature of BTA+REC of the form f ix^; (t) , the case where the operand of 
the deadlock at termination operator is such a closed term, and the case where 
the first operand of a thread-service composition operator is such a closed term. 

Proposition 4. Let t and t' be terms over the signature of BTA+REC such 
that iiy.x{t) and fixy(t') are closed terms. Then there exists a term t" over the 
signature o/ BTA+REC such that \\{{f\Xx{t)) ^ {f\Xy{t'))) = f\Xz{t") is derivable 
from the axioms 0/ TA+REC. 

Proposition 5. Let t be a term over the signature of BTA+REC such that 
fixa;(f) is a closed term. Then there exists a term t' over the signature of 
BTA+REC such that SD(fixx(t)) = ^\y.y{t') is derivable from the axioms of 
TA+REC. 

Proposition 6. Let t be a term over the signature of BTA+REC such that 

fiXa.(f) is a, closed term. Moreover, let f £ J- and let H G TU^ be a regular 
service. Then there exists a term t' over the signature of BTA+REC such that 
fixx(t) If H = f\xy{t') is derivable from the axioms o/TA*^''+REC. 

Propositions 4, 5 and 6 state that the strategic interleaving operator for cyclic 
interleaving, the deadlock at termination operator and the thread-service com- 
position operators can be eliminated from closed terms of the form ||((fixa;(t)) ^ 
(fixy(t'))), SD(fixj:(t)) and f\Xx{t) // H, where t and t' are terms over the signa- 
ture of BTA+REC and if is a regular service. Moreover, they state that the 
resulting term is a closed term of the form fiXz{t"), where t" is a term over the 
signature of BTA+REC. Proposition 4 generalizes to the case where the operand 
is a sequence of length greater than 2. 

The transition rules for recursion are given in Table 9. In this table, x and 
t stand for an arbitrary variable and an arbitrary term over the signature of 
T + REC, respectively, such that f\xx{t) is a closed term. In this table, a stands 
for an arbitrary action from Aau- 

The transition rules for recursion given in Table 9 are not in the path format. 
They can be put in the generalized panth format from [29] , which guarantees that 
bisimulation equivalence is a congruence with respect to the recursion operators, 
but that requires generalizations of many notions that are material to structural 
operational semantics. The axioms given in Table 8 are sound with respect to 
bisimulation equivalence. 
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This is the first time that recursion is incorporated in thread algebra by 
adding recursion operators. Usually, it is incorporated by adding constants for 
solutions of systems of recursion equations (see e.g. [14]). However, that way of 
incorporating recursion does not go with the restriction operators that will be 
introduced in Section 8. 

6 State-Based Description of Services 

In this section, we introduce the state-based approach to describe a family of 
services which will be used in Section 7. This approach is similar to the approach 
to describe state machines introduced in [18]. 

In this approach, a family of services is described by 

— a set of states S; 

— an effect function ejf : A4 x S ^ S; 

— a yield function yld : M x S {T, F, R}; 

satisfying the following condition: 

3s e S m\fm e M * 

{yld{m, s) = R A Vs' e 5 . {yld{m, s') = R^ eff{m, s') = s)) . 

The set S contains the states in which the service may be, and the functions eff 
and yld give, for each method m and state s, the state and reply, respectively, 
that result from processing m in state s. By the condition imposed on S, eff 
and yld, after a request has been rejected by the service, it gets into a state in 
which any request will be rejected. 

We define, for each s € S, a, cumulative effect function ceff^ : A1* — > 5 in 
terms of s and eff as follows: 

ceff,{{)) = s, 

ceffsia ^ (m)) = eff{m, ceff ^{a)) . 

We define, for each s e 5, a service Hg : — > {T, F, R} in terms of ceff^ and 
yld as follows: 

Hs{a r^{m)) = yld{m, ceff ^{a)) . 

Hs is called the service with initial state s described by S, eff and yld. We say 
that {Hs I s G S*} is the family of services described by S, eff and yld. 

For each s € S, Hg is & service indeed: the condition imposed on S, eff and 
yld impHcs that Hs{a) = R ^ Hs{a ^ (m)) = R for all a e and m e M. It 
is worth mentioning that Hs({m)) = yld{m,s) and -^Hg = Hgff(^^^gy 
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7 Services for Molecular Dynamics 



In this section, we describe a family of services which concerns molecular dy- 
namics. The formal description given here elaborates on an informal description 
of molecular dynamics given in [5] . 

The states of molecular dynamics services resemble collections of molecules 
composed of atoms and the methods of molecular dynamics services transform 
the structure of molecules like in chemical reactions. An atom can have fields 
and each of those fields can contain an atom. An atom together with the ones it 
has links to via fields can be viewed as a submolecule, and a submolecule that 
is not contained in a larger submolecule can be viewed as a molecule. Thus, the 
collection of molecules that make up a state can be viewed as a fluid. By means 
of methods, new atoms can be created, fields can be added to and removed from 
atoms, and the contents of fields of atoms can be examined and modified. A few 
methods use a spot to put an atom in or to get an atom from. By means of 
methods, the contents of spots can be compared and modified as well. Creating 
an atom is thought of as turning an clement of a given set of proto- atoms into 
an atom. If there are no proto-atoms left, then atoms can no longer be created. 

It is assumed that a set Spot of spots and a set Field of fields have been 
given. It is also assumed that a countable set PAtom of proto-atoms such that 
-L ^ PAtom and a bijection patom : [1, card(PAtom)] — » PAtom have been given. 
Although the set of proto-atoms may be infinite, there exists at any time only a 
finite number of atoms. Each of those atoms has only a finite number of fields. 
Modular dynamics services have the following methods: 

— for each ,s G Spot, a create atom method s !; 

— for each s, s' G Spot, a set spot method s = s'; 

— for each s, e Spot, a clear spot method s = 0; 

— for each s, s' e Spot, an equality test method s == s'; 

— for each s e Spot, an undefinedness test method s == 0; 

— for each s G Spot and v G Field, a add field method s/v; 

— for each s G Spot and v G Field, a remove field method s\v; 

— for each s G Spot and v G Field, a has field method s\v; 

— for each s, s' G Spot and v G Field, a set field method s.v = s'; 

— for each s, s' G Spot and v G Field, a get field method s = s'.v. 

We write Mmd for the set of all methods of modular dynamics services. It is 
assumed that A^md ^ A4. 

The states of modular dynamics services comprise the contents of all spots, 

the fields of the existing atoms, and the contents of those fields. The methods of 
modular dynamics services can be explained as follows: 

— s !: if an atom can be created, then the contents of spot s becomes a newly 
created atom and the reply is T; otherwise, nothing changes and the reply 
is F; 

— s = s': the contents of spot s' becomes the same as the contents of spot s 
and the reply is T; 
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— s = 0: the contents of spot s becomes undefined and the reply is T; 

— s == s': if the contents of spot s equals the contents of spot s', then nothing 
changes and the reply is T; otherwise, nothing changes and the reply is F; 

— s == 0: if the contents of spot s is undefined, then nothing changes and the 
reply is T; otherwise, nothing changes and the reply is F; 

— s/v: if the contents of spot s is an atom and v is not yet a field of that atom, 
then V is added (with undefined contents) to the fields of that atom and the 
reply is T; otherwise, nothing changes and the reply is F; 

— s\v: if the contents of spot s is an atom and v is & field of that atom, then v 
is removed from the fields of that atom and the reply is T; otherwise, nothing 
changes and the reply is F; 

— s 1 1;: if the contents of spot s is an atom and v is a field of that atom, then 
nothing changes and the reply is T; otherwise, nothing changes and the reply 
is F; 

— s.v = s': if the contents of spot s is an atom and is a field of that atom, 
then the contents of spot s' becomes the same as the contents of that field 
and the reply is T; otherwise, nothing changes and the reply is F; 

— s = s' .v. if the contents of spot s' is an atom and w is a field of that atom, 
then the contents of that field becomes the same as the contents of spot s 
and the reply is T; otherwise, nothing changes and the reply is F. 

In the explanation given above, wherever we say that the contents of a spot or 
field becomes the same as the contents of another spot or field, this is meant 
to imply that the former contents becomes undefined if the latter contents is 
undefined. 

The state-based description of the family of modular dynamics services is as 
follows: 

S = {{a, a)GSS xAS \ rng((7) C dom(a) U {_L} A 

Va G dom(Q!) . rng(a(a)) C dom(Q!) U {_L}} U {T} , 

where 

SS = Spot ^ (PAtom U {±}) , 

AS= U (A- U (F - (PAtom U{±}))), 

^ePfin(PAtom) FGPfi„(Field) 

and 1 ^ SS X AS; sq is some {a, a) € S; and eff and yld are defined in Tables 10 
and 11. We use the following notation for functions: dom(/) for the domain of 
the function /; rng(/) for the range of the function /; [] for the empty function; 
[d r] for the function / with dom(/) = {d} such that f{d) = r; / © 5 for 
the function h with dom{h) = dom(/) U dom{g) such that for all d G dom(/i), 
h{d) = f{d) if d ^ dom((/) and h{d) — g(d) otherwise; and f for the function 
g with dom{g) = dom(/) \ D such that for all d £ dom{g), g{d) = f{d). The 
function new : 'Pgn(PAtom) (PAtom U {-L}) is defined by 

new{A) = patom{m + 1) if m < card(PAtom) , 
new{A) = ± if m > card(PAtom) , 
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Table 10. Effect function for molecular dynamics services 



effis\,ia,a)) = 

{a (B [s |—^ new{dom{a))],a © [new{dom{a)) [ 
eff{sl,{cr,a)) = {(7,a) 
eff{s = s', {a, a)) = (a © [s i-> cr{s')],a) 
eff{s = 0, {a, a)) = (a © [s _L] , a) 
eff{s == s',{a,a)) = {a, a) 
eff{s ==0,(a,a)) = (a,a) 
eff{s/v, (cr,a)) = 

(cr, Q © [cr(s) 1-^ a(cr(s)) ®[v^ -L]]) 

eff{s/v, (cr, a)) = (<r, a) 

eff{s\v, (cr, a)) = (<r, a © [fT(s) i-> a(fT(s)) ^ {«}]) 

eif(s\«, (cr,Q)) = (a, a) 
eif(s|«, (o-,a)) = (o-,a) 
eif(s-w = s',(o-,a)) = 

(cr, Q © [o-(s) a(cr(s)) (B [v ^ a"(s')]]) 
e#(s.u = s',((T,Q)) = (cr,Q) 
eff{s = s'.v, {a, a)) = (cr © [s i-» a(iT(s'))(w)], a) 
ej9'(s = s'-w, {cr, a)) = (tr, a) 
effim, {a, a)) = t 
e#(m, T) = T 



if neui(dom(a)) 7^ ± 
if new(dom(a)) = -L 



if (t{s) ^ ±Av ^ dom(a(cr(s))) 
if cr(s) = _L V w € dom(a(cr(s))) 
if cr(s) ^ ± A w € dom(a(cr(s))) 
if o-(s) = ± V w ^ dom(a(iT(s))) 



if cr(s) 7^ ± A u G dom(a(CT(s))) 
if o-(s) = ± V u dom(a(cr(s))) 
if o-(s') ± A w € dom(a(o-(s'))) 
if cr(s') = ± V w ^ dom(a(cr(s'))) 
if m ^ A^md 



where m = max{n | patom,{n) <E A}. 

We write A4rS for the family of modular dynamics services described above. 

Let (cr, a) e S, let s S Spot, let a € dom(a), and let € dom(a(a)). Then 
cr(s) is the contents of spot s if cr(s) 7^ _L, ti is a field of atom a, and 01(0) (w) is the 
contents of field v of atom a if Q;(a)(i;) ^ _L. The contents of spot s is undefined if 
cr(s) = ±, and the contents of field v of atom a is undefined if a{a){v) = ±. Notice 
that dom(a) is taken for the set of all existing atoms. Therefore, the contents 
of each spot, i.e. each element of rng(cr), must be in dom(a) if the contents is 
defined. Moreover, for each existing atom a, the contents of each of its fields, 
i.e. each element of rng(Q!(a)). must be in dom(a) if the contents is defined. The 
function new turns proto-atoms into atoms. After all proto-atoms have been 
turned into atoms, new yields _L. This can only happen if the number of proto- 
atoms is finite. Molecular dynamics services get into state t when refusing a 
request to process a command. 

The notation for the methods of molecular dynamics services introduced 
in this section has a style which makes the notation f.m less suitable in the 
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Table 11. Yield function for molecular dynamics services 



yld 


s!,(a,a)) =T 




if neui(dom(a)) / _L 


yld 


s!, {a, a)) = F 




if new{dom{a)) = _L 


yld 


s = s', (cr, a)) = 1 








yld 


s = 0, {a, a)) = T 








yld 


s== s',{a,a)) = 


T 


if 0- 


's) = a(s') 


yld 


s== s',{a,a)) = 


F 


if 0- 


's) ^ a{s') 


yld 


s —— 0, ((J, a)) = 


T 


if (J 


's) = ± 


yld 


s==0,(a,a)) = 


F 


if (T 




yld 


s/v, {a, a)) = T 




if 


[s) ^ ± Av ^ dom(a(a(s))) 


yld 


s/v, (cT,a)) = F 




if 


^s) = -L V v € dom(a(cr(s))) 


yld 


s\v, {a, a)) = T 




if 


^s) ^ _L A V € dom(a(cr(s))) 


yld 


s\v, {a, a)) = F 




if a 


's) = _L V u ^ dom(Q(a(s))) 


yld 


s\v, {a,a)) = T 




if (7 


s) / _L A w € dom(a(a(s))) 


yld 


s\v, {a, a)) = F 




if (7 


s) = _L V w ^ dom(a(a(s))) 


yld 


s.v = s' , (a, a)) = 


T 


if (T 


,s) ^ _L A V G dom(a(a(s))) 


yld 


s.v = s' , {a, a)) = 


F 


if 


^s) = _L V V ^ dom(a(a(s))) 


yld 


s = s'.v, {a, a)) = 


T 


if 


[s') ±Av € dom(Q:(a-(s'))) 


yld 


s = s'.v, {a, a)) = 


F 


if 


[s') = _L V v ^ dom(Q:(a-(s'))) 


yld 


m, {a, a)) = R 




if m 




yld 


m, T) = R 









case where m is a method of molecular dynamics services. Therefore, we will 
henceforth write /(to) instead of /.to if to G A^md- 

We conclude this section with a simple example of the use of the methods of 
molecular dynamics services. 

Example 4- Consider the threads 

Pn+i = md(r !) o md{t = r)oQn 

where 

Qo = S , 

Qi+i = md(s = t) o m6{t !) o md(s/ up) o md{t/ dn) o 
md{s.up = t) o md{t.dn = s) o . 

The processing of all basic actions performed by thread P4 by the molecular 
dynamics service of which the initial state is the unique (a, a) G 5 such that 
a = [] yields the molecule depicted in Figure 1. 
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up up up 




dn dn dn 

Fig. 1. Molecule yielded by thread Pa 

8 A Thread Calculus with Moleculau" Dynamics 

In this section, TCmd is introduced. TCmd is a version of TA*'''^ with built-in 
features of molecular dynamics and additional operators to restrict the use of 
certain spots. Because spots arc means of access to atoms, restriction of the use 
of certain spots may be needed to prevent interference between threads in the 
case where interleaving is involved. 

Like in TA'*"^, it is assumed that a fixed but arbitrary set of foci J- and a 
fixed but arbitrary set of methods M. have been given. In addition, it is assumed 
that MmA C M, spots do not occur in m e if m ^ A^md, and H{{m)) = R 
for all m G A^md if ^ AiDS. These additional assumptions express that 
the methods of molecular dynamics services are supposed to be built-in and 
that those methods cannot be processed by other services. The last assumption 
implies that access to atoms is supposed to be provided by molecular dynamics 
services only. Because the operators introduced below to restrict the use of spots 
bring along with them the need to rename spots freely, those operators make it 
unattractive to have only a limited number of spots available. Therefore, it is 
also assumed that Spot is an infinite set. 

Where restriction of their use is concerned, spots are thought of as names by 
which atoms are located. Restriction of the use of spots serves a similar purpose 
as restriction of the use of names in the 7r-calculus [30] . 

For each f G J" and s G Spot, we add a unary restriction operator localf to 
the operators of TA'*''^. The thread denoted by a closed term of the form \oca\l{p) 
is the thread denoted by p, but the use of spot s is restricted to this thread as 
far as basic actions of the form f.m are concerned. This means that spot s is 
made a means to access some atom via focus / that is local to the thread. 

The restriction operators of TCmd are name binding operators of a special 
kind. In local{(p), the occurrence of s in the subscript is a binding occurrence, 
but the scope of that occurrence is not simply p: an occurrence of s in p lies 
within the scope of the binding occurrence if and only if that occurrence is in a 
basic action of the form f.m. As a result, the set of free names of a term, the 
set of bound names of a term, and substitutions of names for free occurrences 
of names in a term always have a bearing on some focus. Spot s is a free name 
of term p with respect to focus / if there is an occurrence of s in p that is in a 
basic action of the form f.m that is not in a subterm of the form local{(p'). Spot 
s is a bound name of term p with respect to focus / if there is an occurrence of 
s in p that is in a basic action of the form f.m that is in a subterm of the form 
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Table 12. Axioms for restriction 



local{(t) = localf,(t[s7s]-^) 


if s' ^fn-' (i) 


Rl 


local{(S) = S 




R2 


localf(D) = D 




R3 


local{(tau o x) = tau o local{(.x) 




R4 


local{(a; <! g.m ^y) = locals (x) < g.m > local{(j/) 


if //5 


R5 


local{(a:: < f.m y) = local{(a::) < f.m t> local{(y) 


if s ^ n(m) 


R6 


||((local{(x)) - a) = local{(|i((x) - a)) 


if s ^ fn-^(Q) 


R7 


SD(localf(x)) = local{(SD(a;)) 




R8 


localf (x) lgH= local{ (a; /g R) 


if / 7^3 


R9 



localf (x) lsR = xlfH If == 0)) ^ F RIO 

localf (localf, (x)) = localf, (local{ (x)) Rll 



local{(p'). The substitution of spot .s' for free occurrences of spot s with respect 
to focus / in term p replaces in p all occurrences of s in basic actions of the form 
f.m that are not in a subterm of the form local{(p') by s' . 

In Appendix A, fn-^(p), the set of free names of term p with respect to focus 
/ , bn-^ (p) , the set of bound names of term p with respect to focus / , and p[s' /s]-^ , 
the substitution of name s' for free occurrences of name s with respect to focus 
/ in term p, are defined. We will write n(m), where m G A1, for the set of all 
names occurring in m. 

Par abus de langage, we will henceforth refer to term p as the scope of the 
binding occurrence of s in local{(p). 

The axioms for restriction are given in Table 12. In this table, s and s' stand 
for arbitrary spots from Spot, / and g stand for arbitrary foci from J^, and t 
stands for an arbitrary term over the signature of TCmd- The crucial axioms are 
Rl, R7, R9 and RIO. Axiom Rl asserts that alpha-convertible restrictions are 
equal. Axiom R7 expresses that, in case the scope of a restricted spot is a thread 
in a thread vector, the scope can safely be extended to the strategic interleaving 
of that thread vector if the restricted spot is not freely used by the other threads 
in the thread vector through the focus concerned. Axiom R9 expresses that, in 
case the scope of a restricted spot is a thread that is composed with a service and 
the foci concerned are different, the scope can safely be extended to the thread- 
service composition. Axiom RIO expresses that, in case the scope of a restricted 
spot is a thread that is composed with a service and the foci c;onccrned are equal, 
the restriction can be raised if the contents of the restricted spot is undefined - 
indicating that it is not in use by any thread to access some atom. 

Axiom Rl, together with the assumption that Spot is infinite, has an impor- 
tant consequence: in case axiom R7 or axiom RIO cannot be applied directly 
because the condition on the restricted spot is not satisfied, it can always be 
applied after application of axiom Rl. 
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Next we give a simple example of the use of restriction. 

Example 5. In the expressions p< md(s.?; = s' .w) > q and p< md{s.v.w = s') 
where p and q are terms over the signature of TCmd, a get field method is 
combined in different ways with a set field method. This results in expressions 
that are not terms over the signature of TCmd- However, these expressions could 
be considered abbreviations for the following terms over the signature of TCmd: 

local^,?(md(s" = s'.w) o{p< md{s.v = s") > q)) , 

local^,?(md(s" = s.v) o {p < md{s".w = s') > q)) , 

where s" in'^'^{p) U fn'^''(g). The importance of the use of restriction here is 
that it prevents interference by means of s" in the case where interleaving is 
involved, as illustrated by the following derivable equations: 

||((md(s" = s'.w) o{p< md{s.v = s") > q)) ^ (md(s" = 0) o S)) 
= md(s" = s'.w) o md(s" = 0) o (p < md{s.v = s") > q) , 

||((local^,?(md(s" = s'.w) o{p< md{s.v = s") > q))) ^ (md(s" = 0) o S)) 
= local^,?,(md(s"' = s'.w) o md{s" = 0) o (p < md{s.v = s'") > q)) , 

where s'" ^ fn'"''(p) U fn"'''(g) U {s"}. The first equation shows that there is 
interference if restriction is not used, whereas the second equation shows that 
there is no interference if restriction is used. Notice that derivation of the second 
equation requires that axiom Rl is applied before axiom R7 is applied. 

Not every closed term over the signature of TCmd can be reduced to a closed 
term over the signature of BTA(FM), e.g. a term of the form local{(p< f-m^q), 
where p and q are closed terms over the signature of BTA(i^M), cannot be 
reduced further if s e n(m). To elaborate on this remark, we introduce the 
notion of a basic term. The set B of basic terms is inductively defined by the 
following rules: 

— S,D G S; 

— if p e B, then tau op £ B; 

— a f E m <= A4, and p,q <E B, then p < f.m >q € B; 

— if / £ m G Ad, Si, . . . ,Sn G n(m), Si ^ sj for all i,j G [1, n] with i ^ j, 
and p,q € B, then local{^ (. . . localf^ {p < f.m >(?)...) G B. 

We can prove that each closed term over the signature of TCmd can be reduced 
to a term from B. 

Theorem 3 (Elimination). For all closed terms p over the signature o/TCmd, 
there exists a term q £ B such that p = q is derivable from the axioms o/TCmd- 

Proof. The proof follows the same line as the proof of Theorem 2 presented 
in [14] . This means that it is a proof by induction on the structure of p in which 
some cases boil down to proving a lemma by some form of induction or another, 
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mostly structural induction again. Here, we have to consider the additional case 
p = local{(p'), where we can restrict ourselves to basic terms p' . This case is 
easily proved by structural induction using axioms R2-R6 and Rll. In the case 
p = 1 1 ( (p'l ) ^ • ■ • ^ (p'fc ) ) , where we can restrict ourselves to basic terms p[,. . . ,p'i., 
we have to consider the additional casep'j^ = loca 

with Sj, . . . ,s„ G n^m) and Si ^ Sj for all i, j £ [1,?^] for which i ^ j. After 
applying axioms Rl and R7 sufhciently many times at the beginning, this case 
goes analogous to the case p'l = p'{ < f-m>p'l'. In the case p = Sd(p'), where we 
can restrict oiirselves to basic terms p' , we have to consider the additional case 
p' = local^^ (. . . localg^(p" < f.m > p'") . . .) with si, . . . , s„ £ n(m) and Si ^ Sj 
for all i, j £ [l,n] for which i ^ j. After applying axiom R8 n times at the 
beginning, this case goes analogous to the case p' = p" ^f-m^p'". In the 
case p = p' /f H, where we can restrict ourselves to basic terms p', we have 
to consider the additional case p' = localf^ (. . . localf^ [p" <) g.m \> p'") . . .) with 
Si, . . . , s„ £ n(m) and Si ^ Sj for all i,j £ [1, n] for which i ^ j. After applying 
axiom R9 or axioms Rl and RIO sufficiently many times at the beginning, this 
case goes analogous to the case p' = p" < g.m > p'". □ 

The following proposition, concerning the cyclic interleaving of a thread vector 
of length 1 in the presence of thread-service composition and restriction, is easily 

proved using Theorem 3. 

Proposition 7. For all closed terms p over the signature o/TCmd; the equation 
\\{{p)) =P is derivable from the axioms o/TCmd- 

Proof. The proof follows the same line as the proof of Proposition 1 presented 
in [14] . This means that it is a simple proof by induction on the structure of p. 
We have to consider the additional case p = local^^ (. . . localf^ [p' < f.m >p") . . .) 
with si,...,s„ £ n(m) and Si ^ Sj for all i,j £ [l,ri] for which i ^ j. This 
case goes similar to the case p = p' < f.m>p" . Axioms Rl and R7 are applied 
sufficiently many times at the beginning and at the end. □ 

The following are useful properties of the deadlock at termination operator in the 
presence of thread-service composition and restriction which are proved using 
Theorem 3. 

Proposition 8. For all closed terms pi, . ■ . ,Pn over the signature o/TCmd; the 



following equations are derivable from the axioms of TCmd 

Sd(||((pi) - ... - (Pk))) = ||((Sd(pi)) - ... - <SD(pfc))) , (1) 

Sd(Sd(pi)) - Sd(pi) , (2) 

SoiPi/fH) = So{pi)/fH. (3) 



Proof. The proof follows the same line as the proof of Proposition 3 presented 
in [14]. This means that equation (1) is proved by induction on the sum of 
the depths plus one of pi, . . . ,pk and case distinction on the structure of pi , 
and that equations (2) and (3) are proved by induction on the structure of 
P\. For each of the equations, we have to consider the additional case p\ = 
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local{^ (. . . local{^ {p[ < f.m > p'O . . .) with si, . . . , s„ e n(m) and Si ^ Sj for all 
i,j € for which i ^ j. For each of the equations, this case goes similar 

to the case pi = p'y < f-m> pi. In case of equation (1), axioms Rl and R7 
are applied sufficiently many times at the beginning and at the end. In case of 
equation (2), axiom R8 is apphed n times at the beginning and at the end. In 
case of equation (3), axiom R9 or axioms Rl and RIO are applied sufficiently 
many times at the beginning and at the end. □ 

Proposition 9. Let t be a term over the signature of BTA+REC such that 
fixa:(t) is a closed term. Then there exists a term t' over the signature of 
BTA+REC such that local{(fiXj:(t)) = f\Xy{t') is derivable from the axioms of 
TCmd+REC provided for all actions g.m, occurring int either f ^ g or s ^ n(m). 

Proof. The proof follows the same line as the proofs of Propositions 4-6 pre- 
sented in [14]. □ 

We refrain from providing a structural operational semantics of TCmd- In 
the case where we do not deviate from the style of structural operational seman- 
tics adopted for BTA, TA and TA*'''^, the obvious way to deal with restriction 
involves the introduction of bound actions, together with a scope opening tran- 
sition rule (for restriction) and a scope closing transition rule (for thread-service 
composition) , like in [30] . This would complicate matters to such an extent that 
the structural operational semantics of TCmd would add only marginally to a 
better understanding. In Section 10, we will adapt the strategic interleaving op- 
erator for cyclic interleaving such that it supports a basic form of thread forking. 
In the presence of thread forking, it is even more complicated to deal with re- 
striction in a structural operational semantics because the name binding involved 
becomes more dynamic. 



9 Projection and the Approximation Induction Principle 

Each closed term over the signature of TC,nd denotes a finite thread, i.e. a thread 
of which the length of the sequences of actions that it can perform is bounded. 
However, not each closed term over the signature of TCmd+REC denotes a finite 
thread: recursion gives rise to infinite threads. Closed terms over the signature 
of TCmd+REC that denote the same infinite thread cannot always be proved 
equal by means of the axioms of TCmd+REC. In this section, we introduce the 
approximation induction principle to reason about infinite threads. 

The approximation induction principle, AIP in short, is based on the view 
that two threads are identical if their approximations up to any finite depth are 
identical. The approximation up to depth n of a thread is obtained by cutting 
it ofi^ after performing a sequence of actions of length n. 

AIP is the infinitary conditional equation given in Table 13. Here, follow- 
ing [9], approximation up to depth n is phrased in terms of a unary projection 
operator 7r„. The axioms for the projection operators are given in Table 14. In 
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Table 13. Approximation induction principle 



An>0 '^ri{x) = TTniy) =^ X = y AIP 

Table 14. Axioms for projection operators 

noix) = D PO 

7r„+i(S) = S PI 

7r„+i(D) = D P2 

7r„+i(a; < a!> y) = 7r„(a;) < a I> 7r„(y) P3 

7r„+i(local{(a;)) = local{(7rn+i(a:)) P4 



this table, a stands for an arbitrary action from ^tauj s stands for an arbitrary 
spot from Spot, and / stands for an arbitrary focus from J^. 

Let T stand for either TC^d or TCmd+REC. Then we will write T+PR for 
T extended with the projections operators 7r„ and axioms P0-P4, and we will 
write T+AIP for T extended with the projections operators 7r„, axioms P0-P4, 
and axiom AIP. 

AIP holds in the projective limit models for TCmd and TCmd+REC that 
will be constructed in Sections 12 and 14, respectively. Axiom REC2 is derivable 
from the axioms of TC,„di axiom RECl and AIP. 

Not every closed term over the signature of TCmd+REC can be reduced to a 
basic term. However, we can prove that, for each closed term p over the signature 
of TC,nd+REC, for each n E N. TTn{p) can bo reduced to a basic term. 

First, we introduce the notion of a first-level basic term. Let C be the set 
of all closed term over the signature of TCmd+REC+PR. Then the set of 
first-level basic terms is inductively defined by the following rules: 

- S,D G B^; 

— if p G C, then tau op £ B^; 

- if f G J^, m e M, and p,q gC, then p <J f.rn > (? e 

— if f G m G A4, si, . . . , s„ G n(m), Si ^ Sj for all i,j G [1, n] with i ^ j, 
and p,q G C, then localf^ (. . . localf^ {p < f.m >(/)...) G B^. 

Every closed term over the signature of TCmd+REC+PR can be reduced to a 
first-level basic term. 

Proposition 10. For all closed terms p over the signature of TCmd+REC+PR, 
there exists a term q G B^ such that p = q is derivable from the axioms of 
TCmd+REC+PR. 

Proof. This is easily proved by induction on the structure of p, and in the case 
p = \\{{p[) ^ . . . ^ (p'k)) by induction on k and case distinction on the structure 
ofp[. □ 

Proposition 10 is used in the proof of the following theorem. 
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Table 15. Additional axioms for thread forking 



< nt(z) > y) ^ a) = tau o (2) ^ (x)) CSI6 

SD(a; < nt(z) > y) = Sd(x) < nt(SD(2)) > Sd(i/) S2D5 

(a; < ntiz) >y)/fH = {x // i/) < nt(z /y > {y /f H) TSC8 

local{(a; < nt(z) > 2/) = local{(a;) < nt(local{(^;)) > local{(2/) R12 

7rn+i(a; < nt(^:) > J/) = 7r„(a;) < nt(7r„(2:)) > 7rn(2/) P5 



Theorem 4. for closed terms p over the signature of TCmd+R-EC, for all 
n £ N, there exists a term q € B such that 7r„(p) = q is derivable from the 
axioms of TCmd+REC+PR. 

Proof. By Proposition 10, it is sufficient to prove that, for all closed terms p € B^, 
for all n e N, there exists a term q £ B such that 7r„(p) = qis derivable from the 
axioms of TCi„d+REC+PR. This is easily proved by induction on n and case 
distinction on the structure of p. □ 

10 Thread Forking 

In this section, we adapt the strategic interleaving operator for cyclic interleaving 
such that it supports a basic form of thread forking. We will do so like in [13]. 

We add the tevna.ry forking postconditional composition operator _< nt(_) >_ 
to the operators of TCmd- Like action prefixing, we introduce forking prefixing 
as an abbreviation: nt(p) o where p and q are terms over the signature of 
TCmd with thread forking, abbreviates q < r\t{p) > q. Henceforth, the postcondi- 
tional composition operators introduced in Section 2 will be called non-forking 
postconditional composition operators. 

The forking postconditional composition operator has the same shape as non- 
forking postconditional composition operators. Formally, no action is involved 
in forking postconditional composition. However, for an operational intuition, in 
p< nt(r) l>q, nt(r) can be considered a thread forking action. It represents the act 
of forking off thread r. Like with real actions, a reply is produced. We consider 
the case where forking off a thread will never be blocked or fail. In that case, 
it always leads to the reply T. The action tau is left as a trace of forking off a 
thread. In [13], we treat several interleaving strategies for threads that support a 
basic form of thread forking. Those interleaving strategies deal with cases where 
forking may be blocked and/or may fail. All of them can easily be adapted 
to the current setting. In [13], nt(r) was formally considered a thread forking 
action. We experienced afterwards that this leads to unnecessary complications 
in expressing definitions and results concerning the projective limit model for 
the thread algebra developed in this paper (see Section 12). 

The axioms for TCmd with thread forking, written TC^^, are the axioms of 
TCmd and axioms CSI6, S2D5, TSC8 and R12 from Table 15. The axioms for 
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Table 16. Additional transition rules for thread forking 



{x<nt[p)>y,p) A {x,p) 

Xli,...,Xkl,{xk+l,p) >{Xk+i,p) 

mx,) - ... - {x,+^) - a),p) ^ {\\{a - (y) - {x',+,)),p') " ° 

{\\{{x^) - ... - (Xk+i) - a), P> ^ (||(a - (D> - (y) - p') " 



TCmd+AIP with thread forking, written TC^^+AIP, are the axioms of TCmd 
and axioms CSI6, S2D5, TSC8, R12 and P5 from Tabic 15. 

Recursion is added to TCj^^ as it is added to BTA, TA, TA*"'^ and TCmd 
in Section 5, taking the following adapted definition of guardedness of variables 
in terms: a variable x is guarded in a term t if each free occurrence of a; in t is 
contained in a subterm of the form t' <a> t" or t' < nt{t"') > t" . 

Not all results concerning the strategic interleaving operator for cyclic in- 
terleaving go through if this basic form of thread forking is added. Theorems 3 
and 4 go through if we add the following rule to the inductive definition of B 
given in Section 8: if p,q,r & B, then p < nt(r) ^ q G B. Proposition 10 goes 
through if we add the following rule to the inductive definition of B^ given in 
Section 9: if p,q,r € C, then p < nt(r) >q€B^. Proposition 7 and the first part 
of Proposition 8 go through for closed terms in which the forking postconditional 
composition operator does not occur only. Proposition 4 goes through for terms 
in which the forking postconditional composition operator does not occur. It is 
an open problem whether Proposition 4 goes through for terms in which the 
forking postconditional composition operator does occur. 

The transition rules for cyclic interleaving with thread forking in the ab- 
sence of restriction are given in Tables 5 and 16. Here, we use a binary relation 
(_, p) (_, p') for each a G Atau U {nt(p) | p closed term over signature of TCj^^j} 
and p,p' G £. Bisimulation equivalence is a congruence with respect to cyclic 
interleaving with thread forking. The transition labels containing terms do not 
complicate matters because there are no volatile operators involved (see e.g. [31]). 



11 Modelling a More Advanced Form of Thread Forking 

In this section, we use restriction to model a form of thread forking found in 
contemporary programming languages such as Java and C#. The modelling is 
divided into two steps. It is assumed that md £ JT, this G Spot, and active G Field. 

Firstly, we introduce expressions of the form nt'(s,s',p) o g, where p and q 
are terms over the signature of TC^^+REC such that s ^ bi^'^{q). 

The intuition is that nt' (s,s',p) o q will not only fork off p, like nt(p) o q, 
but will also have the following side-effect: a new atom is created which is made 
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accessible by means of spot s to the thread being forked off and by means of spot 
s' to the thread forking off. The new atom serves as a unique object associated 
with the thread being forked off. The spots s and s' serve as the names available 
in the thread being forked off and the thread forking off, respectively, to refer to 
that object. The important issue is that s is meant to be locally available only. 

An expression of the form nt' (s,s',p) o q, whore p and q are as above, 
can be considered an abbreviation for the following term over the signature 
of TC^^<j+REC: 

local^''(md(s !) o md(s' = s) o nt{p) o q) . 

Restriction is used here to see to it that s does not become globally available. 

Secondly, we introduce expressions of the form nt"(,s,p) o where p and q 
are terms over the signature of TCj^^j+REC such that this ^ ivT'^^q). The spot 
this corresponds with the self-reference this in Java. 

The intuition is that nt"(s,p) o q behaves as nt'(this, s,p) o q. except that it 
is not till the thread forking off issues a start command that the thread being 
forked off behaves as p. In other words, nt" {s.p) o q is closely related to the form 
of thread forking that is for instance found in Java, where first a statement of 
the form AThread s = new AThread is used to create a thread object and then 
a statement of the form s . start () is used to start the execution of the thread 
associated with the created object. 

An expression of the form nt"(s,p)og, wherep and q are as above, can be con- 
sidered an abbreviation for the following term over the signature of TC^^^+REC, 
using the abbreviation introduced above: 

nt'(this, s, fixa,(p < md(s I active) > x)) o q . 

This means that the action md(s/active) can be used in q as start command for 
p, and by that corresponds with the statement s. start () in Java. 

In the remainder of this section, we introduce Java-like thread forking in 
a program notation which is close to existing assembly languages and describe 
the behaviour produced by programs in this program notation by means of 
TCj^d+REC. 

A hierarchy of program notations rooted in program algebra is introduced 
in [9]. One program notation that belongs to this hierarchy is PGLD, a very 
simple program notation which is close to existing assembly languages. It has 
absolute jump instructions and no explicit termination instruction. Here, we 
introduce PGLDJ:^^, an extension of PGLD with fork instructions. 

The primitive instructions of PGLD^^ are: 

— for each a G A, a. basic instruction a; 

— for each a G A, a. positive test instruction +a; 

— for each a E A, a, negative test instruction —a: 

— for each Z e N, an absolute jump instruction 

— for each s e Spot and Z G N, an absolute fork instruction s = nt##Z. 
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Table 17. Defining equations for thread extraction 
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A PGLD*jj program has the form Ui ; . . . ; u„, where are primitive 

instructions of PGLD^^j. 

The intuition is that the execution of a basic action a produces either T or F 
at its completion. In the case of a positive test instruction +a, a is executed and 
execution proceeds with the next primitive instruction if T is produced. Other- 
wise, the next primitive instruction is skipped and execution proceeds with the 
primitive instruction following the skipped one. In the case of a negative test 
instruction —a, the role of the value produced is reversed. In the case of a basic 
instruction a, execution always proceeds as if T is produced. The effect of an ab- 
solute jump instruction is that execution proceeds with the Z-th instruction 
of the program concerned. If is itself the l-ih instruction, deadlock occurs. 
At any stage, if there is no instruction to proceed execution with, termination 
occurs. 

Let 21 be a model of TC^j+REC+AIP. Then the thread extraction operation 
|_| gives, for each FGLD^^ program P, an element from the domain of 21 that 
represents the thread produced by P. This operation is defined by ; . . . '■Un\ = 
\\{{\ui ; . . . ; Un\\)) , where the operation |_|^ is defined by the equations given in 
Table 17 (for primitive instructions of FGLD^^, i, Z e N, and a & A) 

and the rule that |ui ; . . . ; u„|| = D if Uj is a jump instruction contained in a 
cyclic chain of jump instructions. 

Two PGLD^j programs are considered behavioural equivalent if |P| = |Q|. 
We will come back to behavioural equivalence of PGLD^^ programs in Sec- 
tion 18. 

12 Projective Limit Model for TCmd 

In this section, we construct a projective limit model for TCmd- In this model, 
which covers finite and infinite threads, threads are represented by infinite se- 
quences of finite approximations. 

To express definitions more concisely, the interpretations of the constants 
and operators from the signature of TCmd in the initial model of TCmd and 
the projective limit model of TCmd arc denoted by the constants and operators 
themselves. The ambiguity thus introduced could be obviated by decorating the 
symbols, with different decorations for different models, when they are used 
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to denote their interpretation in a model. However, in this paper, it is always 
immediately clear from the context how the symbols are used. Moreover, we 
believe that the decorations are more often than not distracting. Therefore, we 
leave it to the reader to mentally decorate the symbols wherever appropriate. 

The projective limit c;onstruction is known as the inverse limit construction 
in domain theory, the theory underlying the approach of denotational semantics 
for programming languages (sec e.g. [34]). In process algebra, this construction 
has been applied for the first time by Bergstra and Klop [8]. 

We will write A^^ for the domain of the initial model of TCmd- consists of 
the equivalence classes of terms from B with respect to the equivalence induced 
by the axioms of TCmd- In other words, modulo equivalence, is B. Henceforth, 
we will identify terms from B with their equivalence class where elements of A^^ 
are concerned. 

Each element of A^^ represents a finite thread, i.e. a thread of which the 
length of the sequences of actions that it can perform is bounded. Below, we will 
construct a model that covers infinite threads as well. In preparation for that, we 
define for all n a function that cuts off finite threads from A^^ after performing 
a sequence of actions of length n. 

For all n e N, we have the projection function Wn : A^ A^, inductively 
defined by 

7ro(p) = D , 

7rn+l(S) = S , 

7r„+i(D) = D , 

7rn+i(p < a > (?) = TTnip) < a > 7r„(g) , 
7r„+i(localf (p)) = localf (7r„+i(p)) . 

For p £ A^j, TTnip) is called the n-th projection of p. It can be thought of as an 
approximation of p. If 7r„(p) p, then 7r„+i(p) can be thought of as the closest 
better approximation of p. If 7r„(p) = p, then 7r„+i(p) = p as well. For all n € N, 
we will write An for {7r„(p) \ p € A^^}. 

The semantic equations given above to define the projection functions have 
the same shape as the axioms for the projection operators introduced in Sec- 
tion 9. We will come back to this at the end of Section 14. 

The properties of the projection operations stated in the following two lem- 
mas will be used frequently in the sequel. 

Lemma 1. For all p G A^ and n,mGN, 7r„(7rm(p)) = 7riniii{n,m} (p) • 

Proof. This is easily proved by induction on the structure of p. □ 

Lemma 2. For allpi, . . . , pm G A^^ and n,ni, . . . , Um € N with n < ni, . . . , n.^ • 



7r„(||((pi) - ... - = 7r„(||((7r„, (pi)) - ... - , (1) 



7r„(SD(pi)) = SD(7r„(pi)) , 
T^niVl If H) = 7r„(pi) If H . 



(2) 
(3) 
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Proof. Equation 1 is straightforwardly proved by induction on n + m and case 
distinction on the structure of pi . Equations 2 and 3 are easily proved by induc- 
tion on the structure of pi . □ 

In the projective limit model, which covers finite and infinite threads, threads 
are represented by projective sequences, i.e. infinite sequences {Pn)nen of elements 
of A^^ such that p„ € An and p„ = 7r„(p„+i) for all n G N. In other words, a 
projective sequence is a sequence of which successive components are successive 
projections of the same thread. The idea is that any infinite thread is fully 
characterized by the infinite sequence of all its finite approximations. We will 
write A°° for {(p„)„gN I A„eN(Pn e Ap„ = 7r„(p„+i))}. 

The projective limit model of TCmd consists of the following: 

- the set A°° , the domain of the projective limit model; 

- an element of A°° for each constant of TCmd; 

- an operation on A°° for each operator of TCmd; 

where those elements of A°° and operations on A°° are defined as follows: 

S = (7r„(S))„g^ , 

D = (7r„(D))„gf, , 

(P«)„eN ^ « ^ iln)neN = MPn < « ^ <?«))„eN ' 

ll((bln)„eN) ^ • • • ^ {{PmJnen)) = K(||((P1„) ^ . . . ^ {PmnMneN ' 
SD((Pn)„gN) = ('^n(SD(p™)))„gN ' 

/fH = {nniPn If ' 

local{((p„)„gj,) = (7r„(localf . 

Using Lemmas 1 and 2, we easily prove for (Pn)„gN, (9n)„gN ^ ^'^^ 

(PlTi)rieN' • • • ' (f'"»ra)neN ^ A°°: 

- 7r„(7r„+i(p„+i <a> g„+i)) = 7r„(p„ <a> (?„); 

- 7r„(7r„+i(||((pi„+i) ^ . . . ^ (Pm„+i)))) = 7r„(||((pi„) ^ . . . ^ (Pm„))); 

- 7r„(7r„+i(SD(Pn+l))) = 7r„(SD(Pn)); 

- 7r„(7r„+i(p„+i If H))= TTniPn // ^^); 

- 7r„(7r„+i(local^(p„+i))) = 7r„(local{(p„)). 

From this and the definition of A^, it follows immediately that the operations 
defined above are well-defined, i.e. they always yield elements of A°° . 

The initial model can be embedded in a natural way in the projective limit 
model: each p G A,^ corresponds to {'^n{p))neN ^ extend projection to 

an operation on A°° by defining 7rm{{Pn)nejq) = (K)„gN' where pjj = p„ if n< m 
and p^ = pm if n > TO. That is, '!^rn{{pn)neN) embedded in A°° as described 
above. Henceforth, we will identify elements of A^ with their embedding in 
where elements of A°° are concerned. 

It follows immediately from the construction of the projective limit model of 
TCmd that the axioms of TCmd form a complete axiomatization of this model 
for equations between closed terms. 
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13 Metric Space Structure for Projective Limit Model 



Following [27] to some extent, we make into a metric space to establish, 
using Banach's fixed point theorem, that every guarded operation (p : A°° — »■ A°° 
has a unique fixed point. This is relevant to the expansion of the projective limit 
model of TC,„d to the projective limit model of TCmd+REC in Section 14. 

An m-ary operation </> on A°° is a guarded operation if for all Pi,. . ■ ,Pmj 
P'l, • • • ,P'm e and n e N: 

7r„(pi) = TTnip'i) A ... A TTniPm) = T^niPm) 

^ ■Kn+l{(l>{pi, . . . ,Pm)) = nn+l{(f>{p'i, ■ ■ ■ ,p'm)) ■ 

We say that (j) is an unguarded operation if (j) is not a guarded operation. 

The notion of guarded operation, which originates from [36], supersedes the 
notion of guard used in [27]. 

In the remainder of this section, as well as in Sections 14 and 15, we assume 

known the notions of metric space, completion of a metric space, dense subset 
in a metric space, continuous function on a metric space, limit in a metric space 
and contracting function on a metric space, and Banach's fixed point theorem. 
The definitions of the above-mentioned notions concerning metric spaces and 
Banach's fixed point theorem can, for example, be found in [21]. In this paper, 
we will consider ultrametric spaces only. A metric space (M, d) is an ultrametric 
space if for all p,p\p" <E M, d{p,p') < max{d{p,p"), d{p" ,p')}. 
We define a distance function d : x A°° ^ M by 



It is easy to verify that {A'^,d) is a metric space. The following theorem 
summarizes the basic properties of this metric space. 

Theorem 5. 

1. (A°^,d) is an ultrametric space; 

2. {A°°,d) is the metric completion of the metric space {A^,d'), where d' is the 

restriction of d to A,^; 

3. A^ is dense in A°° ; 

4- the operations 7r„ : ^4°° — > An are continuous; 

5. for all p G A°° and n e N, d{-Kn{p),p) < 2~", hence lim„^oo T^n{p) = P- 

Proof. These properties arc general properties of metric spaces constructed in 
the way pursued here. Proofs of Properties 1-3 can be found in [36]. A proof 
of Property 4 can be found in [22]. Property 5 is proved as follows. It follows 
from Lemma 1, by passing to the limit and using that the projection operations 
are continuous and A^^ is dense in A°° , that 7r„(7rm(p)) = 7rmin{n,m} (p) for P G 
A°° as well. Hence, min{rn G N | 7rm(7r„(p)) ^ T^m{p)) > n, and consequently 



d{p,p') = 2 
d{p,p') = 




d{-Kn{p),p) < 2 



— n 



□ 
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The basic properties given above are used in coming proofs. 

The properties of the projection operations stated in the following two lem- 
mas will be used in the proofs of Theorems 6 and 7 given below. 

Lemma 3. For all p e A°° and n,m gN, 7r„(7rm(p)) = ■7Tmm{n,m}{p)- 

Proof. As mentioned above in the proof of Theorem 5, this lemma follows from 
Lemma 1 by passing to the limit and using that the projection operations are 
continuous and is dense in A°°. □ 

Lemma 4. For all pi, . . . ,Pm € A°° and n € N.- 

7r„(pi <a>P2) = 7r„(7r„(pi) <a>7r„(p2)) , (1) 
7r„(||((pi)-...-(p„,))) =7r„(|I((7r„(pi))^...^(7r„(p„)))) , (2) 
7r„(SD(pi)) = 7r„(SD(7r„(pi))) , (3) 

TTn{Pl / f H) = TTn{TTn{pi) / f H) , (4) 

7r„(localf (pi)) = 7r„(local{(7r„(pi))) . (5) 

Proof. It is enough to prove Equations 1-5 for pi, . . . , p^ € A^^ . The lemma 
will then follow by passing to the limit and using that 7r„ is continuous and A^^ 
is dense in A°° . Equations 1 and 5 follow immediately from Lemma 1 and the 
definition of 7r„. Equations 2-4 follow immediately from Lemmas 1 and 2. □ 

In the terminology of metric topology, the following theorem states that all 
operations in the projective limit model of TCmd are non-expansive. This implies 
that they are continuous, with respect to the metric topology induced by d, in 
all arguments. 

Theorem 6. For all pi,. . . ,Pm,Pi, ■ ■ ■ ,p'm ^ A°°: 

d{pi <a>p2,p'i <a>p'2) < max{d{pi,p[),d{p2,p'2)} , (1) 

d{\\{{p^)^...^{Pm)),\\m)^...^{p'J)) 

< max{d(}9i,pi), . . .,d{pm,p'm)} . 

d{SD{pi),SD{p'i)) < d{pi,p\) , (3) 

dip,/fH,p[/fH)<d(p^,p[), (4) 

rf(local{(pi), local{(p'i)) < ^(^1,^1) . (5) 

Proof. Let ki = min{n e N | 7r„(pi) ^ T^nip'i)} for i = 1,2, and let k = 
minjfci, k2}. Then for all n G N, we have n < fc iff 7r„(pi) = 7r„(p']^) and 7r„(p2) = 
7r„(p2). From this and Lemma 4, it follows immediately that 7r/c_i(pi < a ^P2) = 
TTk-iip'i <a> p'2). Hence, k < min{n e N | 7r„(pi < a > P2) 7^ T^niPi ^ a ^ P2)}) 
which completes the proof for the postconditional composition operators. The 
proof for the other operators go analogously. □ 

The notion of guarded operation is defined without reference to metric prop- 
erties. However, being a guarded operation coincides with having a metric prop- 
erty that is highly relevant to the issue of unique fixed points: an operation on 
A'^ is a guarded operation iff it is contracting. This is stated in the following 
lemma. 



(2) 
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Lemma 5. An m-ary operation <f) on A°° is a guarded operation iff for all 

Pl,...,Pm,p'i,---,P'm G 

d{4){pi, . . . ,Pm)A{p'l, ■ ■ ■ ,P'm)) < I •maxMPl>P'l)>--->%m,Pm)} • 

Proof. Let ki = min{n € N | 7r„(pi) ^ 7r„(p^)} for i = 1, . . . ,m, and let k = 
min{fci, . . . , /cm}- Then for all n S N, n < k iff iTnipi) = T^n{p'i) and ... and 
i^n{Pm) = T^niPm)- From thls, thc definition of a guarded operation and the 
definition of ttq, it follows immediately that is a guarded operation iff for 
all n < A: + 1, 7r„((/)(pi, . . . = 7r„((?!)(p'^, . . . Hence, (j) is a guarded 

operation iff fc + 1 < min{n e N | 7r„((/)(pi, . . . ,p„j)) ^ 7r„(^(yi, . . . 
which completes the proof. □ 

We write where ^ is a unary operation on for the unary operation on A°° 
that is defined by induction on n as follows: <?i)°(p) = p and ?!>""'"^(p) = ^(<?i)"(p)). 
We have the following important result about guarded operations. 

Theorem 7. Let (j):A°^ A'^ be a guarded operation. Then (j) has a unique fixed 
point, i.e. there exists a unique p € A°° such that (j){p) = p, and (7rn(0"(D)))„gN 
is the unique fixed point of <p. 

Proof. We have from Theorem 5.2 that {A°°,d) is a complete metric space 
and from Lemma 5 that </> is contracting. From this, we conclude by Banach's 
fixed point theorem that (j) has a unique fixed point, ft is easily proved by in- 
duction on n, using Lemma 3 and the definition of guarded operation, that 
7r„(7r„+i((/)"+^(D))) = 7r„((?!)"(D)). From this and the definition of An, it follows 
that (7r„((/)"(D)))„gpj is an element of A°°. Moreover, it is easily proved by case 
distinction between n = and n > 0, using this equation. Lemma 3 and the 
definition of guarded operation, that 7r„((/)(7r„ ((/)"(□)))) = 7r„(7r„(0"'(D))). From 
this, it follows that (7r„((/)"(D))),jgpj is a fixed point of (p by passing to the limit 
and using that is continuous and A^ is dense in A°° (recall that contracting 
operations are continuous). Because (f) has a unique fixed point, (7i'„(^"(D)))^gf^ 
must be the unique fixed point of <j). □ 



14 Projective Limit Model for TC^d+REC 

The projective limit model for TCmd+R-EC is obtained by expansion of the 
projective limit model for TCmd with a single operation fix A°°) A°° 

for all the recursion operators.^ 

The operation fix differs from the other operations by taking functions from 
A°° to A°° as argument. In agreement with that, for a given assignment in A°° 
for variables, the operand of a recursion operator is interpreted as a function from 
A°° to A°° . If the recursion operator f ix^ is used, then variable x is taken as the 

^ Given metric spaces {D,d) and {D',d'), wc write D — >^ D' for the set of all non- 
expansive functions from {D,d) to (D',d'). 
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variable representing the argument of the function concerned. The interpretation 
of terms over the signature of TCmd+REC will be formally defined in Section 15. 
The operation fix is defined as follows: 

fix(0) = (7r„(0"(D)))^gj^ if ^ is a guarded operation, 
fix(^) = (7rn(D))„£i^ if <^ is an unguarded operation. 

From Theorem 7, we know that every guarded operation (j) : A°° — > A°° has 
only one fixed point and that {■Kn{4>"'{D)))^^^ is that fixed point. The justifica- 
tion for the definition of fix for unguarded operations is twofold: 

— a function ^ from A°° to A°° that is representable by a term over the signa- 
ture of TCnid+R-EC is an unguarded operation only if D is one of the fixed 
points of (j); 

— if D is a fixed point of a function (f) from ^4°° to A°°, then (7r„(D))^gj^ = 

This implies that, for all fimction (j> from A°° to A°° that arc representable by a 
term over the signature of TCmd+REC, fix yields a fixed point. Actually, it is the 
least fixed point with respect to the approximation relation C that is introduced 
in Appendix B. There may be unguarded operations in A°^ -^^ A°° for which D 
is not a fixed point. However, those operations are not representable by a term 
over the signature of TCmd+REC. 

It is straightforward to verify that, for every guarded operation (t):A°° A°° , 
{TTn{rm)nen = iM(l>''^"HD)))nen^ where k{n) = min{fc | 7r„(</.'=(D)) = 
7rn(<?f>'^'''^(D))}. The right-hand side of this equation is reminiscent of the def- 
inition of the operation introduced in [7] for the selection of a fixed point in a 
projective limit model for PA, a subtheory of ACP [8] without communication. 

We define a distance function S : {A°° -^^ A°°) x {A°° -^^ A°°) ^ M by 

S{cj,,^p)^U{d{Hp),Hp))\peA°-} . 

The distance function 6 is well-defined because for all p,p' G A°° , S{p,p') < 2~^. 
It is easy to verify that {A°° -^^ A°°, 6) is an ultrametric space. 

The following theorem states that fix is non-expansive for guarded operations. 

Theorem 8. For all & A°° -^^ A°° that are guarded operations: 

rf(fix(<^),fix(V)) <5(</.,^) . 

Proof. Let p = fix(0) and q = fix(f/'). Then (f>(p) = p, iP{q) = Q and also 
d{(f){p),tl}{q)) — d{p,q). We have d{(f){p),(f>{q)) < i • d{p,q) by Lemma 5 and 
d{(p{q),ip{q)) < S{(f),ip) by the definition of 6. It follows that d{(j){q),tp{q)) < 
ma,x{^-d{p, q), S{4>, tp)}. Hence, because d{(l){p), ipiq)) = d{p, q), we have d{p, q) < 
5{(j), ip). That is, (i(fix((/)), fix(V')) < 5{(j), tp). □ 

Projective Hmit models of TCmd+AIP and TCmd+REC+AIP arc simply 
obtained by expanding the projective limit models of TCmd and TCmd+REC 
with the projection operations 7r„ : A°° A°° defined at the end of Section 12. 
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15 Guarded Recursion Equations 



In this section, following [27] to some extent, we introduce the notions of guarded 
term and guarded recursion equation and show that every guarded recursion 
equation has a unique solution in A°° . This result is to some extent a side result. 
Much of the preparation that has to be done to establish it has been done in 
Sections 13 and 14. Therefore, it seems like a waste to omit this result. 

Supplementary, in Appendix B, we make A°° into a complete partial ordered 
set and show, using Tarski's fixed point theorem, that every recursion equation 
has a least solution in A°° with respect to the partial order relation concerned. 

It is assumed that a fixed but arbitrary set of variables X has been given. 

Let P C A°° and let X <Z X. Then we will write Tp for the set of all terms 
over the signature of TCmd+R-EC with parameters from P and Tp for the set 



of all terms from Tp in which no other variables than the ones in X have free 

4 



occurrences. 

The interpretation function [_] : Tp {{X A°°) of terms with 

parameters from P C A°° is defined as follows: 

Mip) =p, 
IsKp) = s , 

mip) =D, 

Iii<a>t2l(p) = [iil(p)<a>Ii2](p) , 

- ... - {tmMp) = ||((Iill(p)> - ... - (lU , 

ISdWKp) =Sd(M(p)), 

it/fHjip) =mp)/fH, 

Ilocai;.(t)](p) =local}(M(p)), 
[fix,(<)l(p) =fix(<^), 

where (p : A°° is defined by = ®[xi-^p]) . 

The property stated in the following lemma will be used in the proof of 
Lemma 7 given below. 

Lemma 6. Let P C A°° , lettG Tp, let x€X, let p G P, and let p : X A°° . 
Then M(p ®[x^p\) = lt\p/x]}{p). 

Proof. This is easily proved by induction on the structure of t. □ 

Let Xi,...,Xn & X, let X C {xi, . . . ,a;„}, let P C A°°, and let t e 7^. More- 
over, let p : X ^ A°°. Then the interpretation of t with respect to xi,. . . ,Xn, 
written [f]'^^' "''^", is the unique function </> : A°°"' — > such that for all 

Pi,--- ,Pn e A°°, (f){pi, . . . ,Pn) = ®[xi>-^pi]®...® [Xn ^ Pn])- 



^ A term with parameters is a term in which elements of the domain of a model are 
used as constants naming themselves. For a justification of this mix-up of syntax 
and semantics in case only one model is under consideration, see e.g. [25]. 
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The interpretation of t with respect to Xi, . . . ,Xn is well-defined because it 
is independent of the choice of p. 

The notion of guarded term defined below is suggested by the fact, stated in 
Lemma 5 above, that an operation on A°° is a guarded operation iff it is con- 
tracting. The only guarded operations, and consequently contracting operations, 
in the projective limit model of TCmd+R-EC are the postconditional composition 
operations. Based upon this, we define the notion of guarded term as follows. 

Let P C A°°. Then the set Qp of guarded terms with parameters from P is 
inductively defined as follows: 

- if p e P, then p G Qp; 

- S, D e Gp; 

- if a e ^ and ti,t2 € Tp, then ti <a>t2 £ Gp] 

- if G Gp, then \\{{ti) ^ . . . ^ {tm}) & Qp', 

- if t € Gp, then Soit) € Gp] 

- if f gJ^, H eVJ^ and t&Gp, then t /f H e Gp; 

- if / € J-", s G Spot and t G Gp, then localy-(i) G Gp] 

- if X G A", t G Gp and x is guarded in t, then fixj;(t) G Gp- 

The following lemma states that guarded terms represent operations on A°° 
that are contracting. 

Lemma 7. Let xi, . . . , x^ e X, let X C {xi,...,Xn}, let P C A°°, and let 
t G Tp . Then t GQp only if for all Pi,... ,Pn,Pi, ■ ■ ■ ,p'n € A°°: 

rfcitf^'-'^-cpi, . . . ,Pn), [tr^--'""(pi, . . . ,K)) 

< i • max{d(pi,pi), . . .,d{pn,p'n)} ■ 

Proof. This is easily proved by induction on the structure of t using Theorems 6 
and 8, Lemmas 5 and 6, and the fact that the postconditional composition 
operations are guarded operations. □ 

A recursion equation is an equation x = t, where x G X and t G Tp ' foi 
some P C A°°. A recursion equation x = t is a. guarded recursion equation if 
t G Gp for some P C . Let a; = t be a recursion equation. Then p G A°° is a 
solution of X = t if = p- 

We have the following important result about guarded recursion equations. 

Theorem 9. Every guarded recursion equation has a unique solution in the 
projective limit model for TCmd+R-EC. 

Proof Let x G X, let P C A°° , and let t G T^^^ be such that tGQp.We have 
from Theorem 5.2 that {A°°,d) is a complete metric space and from Lemma 7 
that is contracting. From this, we conclude by Banach's fixed point theorem 
that p]^ has a unique fixed point. Hence, the guarded recursion equation x = t 
has a unique solution. □ 
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The projection operations and the distance function as defined in this paper 
match well with our intuitive ideas about finite approximations of threads and 
closeness of threads, respectively. The suitability of the definitions given in this 
paper is supported by the fact that guarded operations coincide with contracting 
operations. However, it is not at all clear whether adaptations of the definitions 
are feasible and will lead to different uniqueness results. 

16 Equality in the Projective Limit Model for 
TC^d+REC+AIP 

In this section, we determine the position in the arithmetical hierarchy (the 
Kleene-Mostowski hierarchy) of the equality relation in the projective limit 
model for TCmd+REC+AIP. 

We start with a theorem that bears witness to the strength of the axioms of 
TCmd+REC+AIP. 

Theorem 10. For all closed terms p, q over the signature of TCmd+REC+PR 

for which p = q holds in the projective limit model of TC,nd+REC+AIP, for all 
n GN, 7r„(p) — TTniq) is derivable from, the axioms of TCmd+REC+PR. 

Proof. Let n G N, and let p', q' G be such that 7r„(p) = p' and 7r„(g) = q' are 
derivable from the axioms of TCmd+REC+PR. Such terms exist by Theorem 4. 
By the soundness of the axioms of TCmd+REC+PR, 7r„(p) = p' and 7r„((7) = q' 
hold in the projective limit model of TCmd+REC+AIP. Moreover, because p = q 
holds in the projective limit model of TCmd+REC+AIP, 7r„(p) = 7r„(g) holds 
in the projective limit model of TCmd+REC+AIP. Hence, p' = q' holds in the 
projective limit model of TCmd+REC+AIP. Because the axioms of TCmd form a 
complete axiomatization of the restriction of this model to the signature of TCmd 
for equations between closed terms, p' = q' is derivable from the axioms of TCmd- 
Hence, 7r„(p) ~ 7r„(g) is derivable from the axioms of TCmd+REC+PR. □ 

By Theorem 4, the reduction of terms 7r„(p), where p is a closed term over the 
signature of TCmd+REC+PR, to basic terms is computable. Moreover, equality 

of basic terms is syntactic equality modulo axioms Rl and Rll. Hence, as a 
corollary of Theorems 4 and 10, we have the following decidability result: 

Corollary 1. For closed terms p,q over the signature of TCmd+REC+PR and 
n G N, it is decidable, uniformly in n, whether 'Kn{p) = 7r„(g) holds in the 
projective limit model of TCmd+REC+AIP. 

Corollary 1 leads us to the position in the arithmetical hierarchy of the equal- 
ity relation in the projective limit model of TCmd+REC+AIP. Recall that a 
relation is a So-relation iff it is a recursive relation, and that a relation is a 
n°-relation iff it is a co-recursively enumerable relation (see e.g. [35,28]). 

Theorem 11. Let C he the set of all closed terms over the signature of TCmd+ 
REC+PR, and let = C C x C be the relation defined by p = q iff p = q holds in 
the projective limit model of TCmd+REC+AIP. Then = is a Ui-relation. 
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Proof. Let Pr CNxCxChe the relation defined by Pr{n, p, q) iff 7r„ {p) = 7r„ (q) 
holds in the projective limit model of TCmd+R-EC+AIP. By the definition of this 
model, p = q <^=> VnsN* Pr{n,p, q) for all p,q £ C. Moreover, by Corollary 1, 
Pr is a Sg-relation. Hence, = is a n°-relation. □ 

17 Projective Limit Model for TCmd with Thread Forking 

The construction of the projective limit model for TC^^j follows the same line 
as the construction of the projective limit model for TCmd- In this section, the 
construction of the projective limit model for TCji^^ is outlined. 

Recall that the basic terms of TC^^ include closed terms p < nt(r) t> q, where 
p, q and r are basic terms (see Section 10). The domain A'^ of the initial model 
of TCji^^ consists of the equivalence classes of basic terms of TCji^^j. 

The projection functions 7r„ : A'^ A'^ are the extensions of the projection 
functions 7r„ : A^^, A^ inductively defined by the equations given for Wn-A^^ — > 
A^j in Section 12 and the following equation: 

7r„+i(p < nt(r) >q)= Tr„{p) < nt(7r„(r)) > 7r„(g) . 

For all n G N, wc will write A'„ for {7r„(p) | p G A'^}. Moreover, we will write 

A'°^ for {(p„)„gN I AneN(P« eA'^Apn= 7r„(p„+i))}. 
Lemmas 1 and 2 go through for A'^. 

The projective limit model of TC^^ consists of the following: 

— the set A'°° , the domain of the projective limit model; 

— an clement of A'°° for each constant of TCj:^(j; 

— an operation on ^4'°° for each operator of TCj^'d. 

Those elements of A'°° and operations on with the exception of the op- 

eration associated with the forking postconditional composition operator, are 
defined as in the case of the projective limit model for TCmd- The ternary oper- 
ation on A'°° associated with the forking postconditional composition operator 
is defined as follows: 

(p«)„eN ^ nt((r„)„gp,) > (g„)„gN = (7r„(p„ < nt(r„) > q„))„gN . 

Using Lemma 1, we easily prove that for (p„)„gp,, (gn)^^^, {rn)neN ^ 

7i"„(7r„+i(p„+i < nt(r„+i) > g„+i)) = 7r„(p„ < nt(r„) > qn) ■ 

From this and the definition of A'^, it follows immediately that the operation 
defined above always yields elements of ^4'°°. 

Lemma 3 goes through for A'°° . Lemma 4 goes through for A'°° as well; and 
we have in addition that for all pi,P2,P3 € A'°° and n € N: 

7I"„(P1 < nt(p3) > P2) = TTn{lTn{pi) < nt(7r„(p3)) > 7r„(p2)) - 
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Theorem 6 goes through for A'°°; and we have in addition that for all 

d{pi < nt(p3) >p2,pi < nt(p^j) ^p'j) < max{rf(pi,pi),rf(p2,P2)>'^(P3,P3)} • 

Lemma 5 and Theorem 7 go through for A'°°. 

The projective limit model of TCji^^j+REC is obtained by expansion of the 
projective hmit model of TC**^ with a single operation fix :(v4'°° -^^ A'°°) A'°° 
for all the recursion operators. This operation is defines as in the case of the 
projective limit model of TCmd+REC. Theorem 8 goes through for ^4'°°. 

The interpretation function |_] of terms with parameters from P is now 
defined by the equations given for |_] in Section 15 and the following equation: 

Ih < nt(t3) > hjip) = [hj{p) < nt(p3l(p)) > Mip) ■ 

The set Gp of guarded terms with parameters from P is now inductively defined 
by the rules given for Qp in Section 15 and the following rule: 

- if ti,t2,t3 e Tp, then h < nt(i3) > e Gp- 

Lemmas 6 and 7 and Theorem 9 go through for A'°°. 

Projective limit models of TCj^^+AIP and TC*^d+REC+AIP are obtained 
by expanding the projective limit models of TC*^^ and TC*^^+REC with pro- 
jection operations 7r„ :^'°° A'°°. These operations are defined as in the case of 
the projective limit models of TCmd+AIP and TCmd+REC+AIP. Theorem 10, 
Corollary 1 and Theorem 11 go through for TC*/j^+REC+AIP. 

It is easily proved that the projective limit model for TCmd is a submodel of 
the restriction of the projective limit model for TC^^ to the signature of TCmd- 

18 Behavioural Equivalence of PGLD^^ Programs 

In this short section, we introduce behavioural equivalence of PGLD^j programs 
and show that it is a n°-relation. 

Let V be the set of all PGLDji^^ programs. Then, taking |_ | as a function from 
V to A'°° , the behavioural equivalence relation =be Q VxV is defined by P =bc Q 
iff |P| is identical to \Q\ in the projective limit model of TC^^j+REC+AIP. 

The following theorem is the counterpart of Theorem 11 in the world of 
PGLDj^^ programs. 

Theorem 12. The behavioural equivalence relation =bc is a Hi-relation. 

Proof. Let Pr' CNxVxP be the relation defined by Pr'{n, P, g) iff 7r„(|P|) is 
identical to nn{\Q\) in the projective limit model of TCmd+REC+AIP. By the 
definition of this model, P =be Q <^ Vn € N . Pr'{n,P,Q) for all P,Q G V. 
Therefore, it is sufficient to prove that Pr' is a Sg-relation. In essentially the 
same way as described for PGA programs in [9],eachPGLD*^d program P can be 
reduced to a PGLD^^ program Q without chains of jump instructions such that 
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\P\l is identical to \Q\\ in the projective limit model of TC^^+REC+AIP. This 
reduction is computable. Moreover, each PGLD^^j program P without chains of 
jump instructions can be translated into a closed term p over the signature of 
TC|i^j+REC such that \P\ is identical to the interpretation of p in the projective 
limit model of TCj^^^+REC+AIP. Because it is restricted to programs without 
chains of jump instructions, this translation is computable as well. From this 
and Corollary 1, which goes through for TCj^^+REC+AIP, it follows that Pr' 
is a En-relation. □ 



19 Conclusions 

In this paper, we have carried on the line of research with which we made a start 
in [13]. Wc pursue with this line of research the object to develop a theory about 
threads, multi-threading and interaction of threads with services that is useful 
for (a) gaining insight into the semantic issues concerning the multi-threading 
related features found in contemporary programming languages such as Java 
and C#, and (b) simplified formal description and analysis of programs in which 
multi-threading is involved. In this paper, we have extended the theory developed 
in [13] with features that make it possible to deal with details of multi-threading 
that come up where it is adjusted to the object-orientation of those languages. 
We regard this extension as just a step towards attaining the above-mentioned 
object. It is likely that applications of the theory developed so far will make 
clear that multi-threading related features found in contemporary programming 
languages are also intertwined with other matters and as a consequence further 
developments are needed. 

There is another line of research that emanated from the work presented 
in [13]. That line of research concerns the development of a formal approach 
to design new micro-architectures (architectures of micro-processors). The ap- 
proach should allow for the correctness of new micro-architectures and their 
anticipated speed-up results to be verified. In [17], we demonstrate the fea- 
sibility of an approach that involves the use of thread algebra. The line of 
research concerned is carried out in the framework of a project investigating 
micro-threading [20,26], a technique for speeding up instruction processing on 
a computer which requires that programs are parallelized by judicious use of 
thread forking. 

The work presented in this paper, was partly carried out in the framework 

of that project as well. For programs written in programming languages such 
as Java and C#, compilers will have to take care of the parallelization. In [12], 
we investigate parallelization for simple programs, which are close to machine 
language programs. That work has convinced us that it is desirable to have 
available an extension of thread algebra like the one presented in this paper 
when developing parallelization techniques for the compilers referred to above. 

It is worth mentioning that the applications of thread algebra exceed the 
domain of single non-distributed multi-threaded programs. In [14], we extend 
the theory with features to cover systems that consist of several multi-threaded 
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Table 18. Definition of fn-'^(f>) and bn-'^(p) 



fn^(S) = 




bn^(S) = 


fn-'(D) = 




bn^(D) = 


fn-* (tau o i j = tn-" (t) 




bn-' (tau ot) = bn^ (ij 


fnf (t <1 n TTJ l> f'l — fn-'^C^"> 1 1 fn^ (f'^ 
111 I ^ y.iii 1^ t- 1 — 111 \L J \^ 111 It/ J 


if f =^ n 


bn-'^Cf < n m \> f'^ — hn^ (f^ 1 1 btr^^Cf''! 

Uli It ^ y .1 f t ^ (■ y — Uli ltll_JUli \Ij J 


fn^ {t < f.m > t') = fn-^ (t) U fn-'' (t') U 


n(m) 




fn^(||(a)) = fn^(a) 




bn^(||(Q)) = bn-''(a) 


fn^(SDW) = fn-f (f) 




bn^(SD(t)) = bn^(t) 


fn^(f/,Jf) = fn^(t) 




hiJ{t Ig H) = hn^t) 


fn^(localf(t)) = fn^(t) 




bn^(localf(f)) = bii-'(i) if/ ^5 


fn^(local{(t)) = fn^(t) \{s} 




bn-''(local{(t)) = bu^ (t) U {s} 


fn^'(()) = 




bn^(()) = 


fn^((f>'^Q) =fn^(t)Ufn-''(Q) 




bn-''((t) q) = bn-''(t) U bn-''(a) 



programs on various hosts in different networks. To demonstrate its usefulness, 
we employ the extended theory to develop a simplified, formal representation 
schema of the design of such systems and to verify a property of all systems de- 
signed according to that schema. In [16], we extend the theory with features that 
allow for details that come up with distributed multi-threading to be dealt with. 
The features include explicit thread migration, load balancing and capability 
searching. 

A Free and Bound Names, Substitution 

In this appendix, we define {n.^{p), the set of free names of term p with respect 
to focus /, bn''(p), the set of bound names of term p with respect to focus /, 
and p[s'/sY , the substitution of name s' for free occurrences of name s with 
respect to focus / in term p. In Table 18, fn-^(p) and hn^{p) are defined, and in 
Table 19, p[s'/sY is defined. We write m[s'/s], where m e A4, for the result of 
replacing in m all occurrences of s by s'. 

B CPO Structure for Projective Limit Model 

In this appendix, we make A°° into a complete partial ordering (cpo) to establish 
the existence of least solutions of recursion equations using Tarski's fixed point 
theorem. 

The approximation relation i— C A^^ x A^^ is the smallest partial ordering 
such that for all p,p', q, q' & A^^: 

- DCp; 
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Table 19. Definition oip[s'/sY 



s[s'/sy = s 

D[s'/sY = D 

(tau o t)[s'/sY = tau o {t[s'/sY) 

{t<g.m\>t')[s'/sY = {t[s'/sY)<g.m> {t'[s'/sY) ]f f ^ g 

{t < f.m > t')[s'/sY = {t[s'/sY) < f.m[s'/s] > (t'ls'/sY) 
\\ia)[s'/s]f = \\ia[s'/sY) 
Soms'/sY =SDit[s'/sY) 
itUH)[s'/sY = {t[s'/sy)/,H 

\oca\l„ it)[s'/sY = localf,, it[s'/s]f) \f f = g ^ (s ^ s" A s' ^ s") 

\ocs\i„ {t)[s'/sY = \oca\i,„{{t[s"'/s"y)[s'/sy) if (s 7^ s" A s' = s") 

(s'" ^fn^(t)Ubn^(t)U{s,s'}) 

local{(t)[s7s]-'^ = local{(t) 

{}W/s]f = {) 

{{t} ^ a)[s'/sY = {t[s'/sY) ^ {a[s'/sY) 



— p C p' => tau o p C tau o p'; 

— for all f e T and m e M, p Q p' A q Q q' ^ p < f.m >qQp'< f.m, > q'; 

— for all / e JF, m G A4, and si, . . . , s„ € n.(m,) with Si ^ sj for all i,j G [1, n] 
for which i^j,pQp'AqQq'=^ local{^ (. . . local{^ {p < f.m >q)...) E 
localfj (. . . local{^(p' < /.m > g') • • •)• 

The approximation relation C C A°° x is defined component-wise: 

(Pn)„eN E (9")neN ^ ynGN.pnQq„ . 

The approximation relation C on An is simply the restriction of C on Aj^, to An ■ 
The following proposition states that any p £ A^^ is finitely approximated by 
projection. 

Proposition 11. For all p £ A^: 

3n G N • (V/c < n » TTkip) Q TTk+i(j>) A V/ > n • 7r;(p) = p) . 

Proof. The proof follows the same line as the proof of Proposition 1 from [6] . This 
means that it is a rather trivial proof by induction on the striicture of p. Here, 
we have to consider the additional case p = local{^ (. . . local^^ (p' < f.m > p") . . .) 
with si, . . . , Sn 6 n(m) and Si 7^ Sj for all i,j € [l,n] for which i ^ j. This case 
goes analogous to the case p = p' ^ f.m > p". □ 

The properties stated in the following lemma will be used in the proof of 
Theorem 13 given below. 
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Lemma 8. For all n G N; 

1- {-^ni E) is a cpo; 

2. TTn is continuous; 

3. for allp€ A^: 

(a) 7r„(p) Cp; 

(b) 7r„(7r„(p)) = 7r„(p); 

(c) 7r„+i(7r„(p)) = 7r„(p). 

Proof. The proof follows similar lines as the proof of Proposition 2 from [6] . For 
property 1, we now have to consider directed sets that consist of D, postcon- 
ditional compositions and restrictions of postconditional compositions instead 
of D and postconditional compositions. However, the same reasoning applies. 
For property 2, we now have to use induction on the structure of the elements 
of and distinction between the cases n = and n > for postconditional 
compositions. Due to the presence of restrictions, we cannot use induction on n 
and case distinction on the structure of the elements of A^ like in [6] . However, 
the crucial details of the proof remain the same. Like in [6] , property 3a follows 
immediately from Proposition 1 1 . Properties 3b and 3c follow immediately from 
Lemma 1. □ 

The following theorem states some basic properties of the approximation 

relation C on A°° . 

Theorem 13. □) is a cpo with U-P = iUUnip) | P € -P})„£n 

rected sets P C A°° . Moreover, up to ( order) isomorphism A^ C A°° . 

Proof. The proof follows the same line as the proof of Theorem 1 from [6] . That 
is, using general properties of the projective limit construction on epos, the first 
part follows immediately from Lemmas 8.1 and 8.2, and the second part follows 
easily from Proposition 11 and Lemma 8.3. □ 

Another important property of the approximation relation C on A°° is stated 
in the following theorem. 

Theorem 14. The operations from the projective limit model of TCmd are con- 
tinuous with respect to C. 

Proof. The proof begins by establishing the monotonicity of the operations on 
A^j. For the postconditional composition operations, this follows immediately 
from the definition of C on A^^ . For the cyclic interleaving operation, it is straight- 
forwardly proved by induction on the sum of the depths plus one of the threads 
in the thread vector and case distinction on the structure of the first thread 
in the thread vector. For the deadlock at termination operation, the thread- 
service composition operations and the restriction operations, it is easily proved 
by structural induction. Then the monotonicity of the operations on A°° follows 
from their monotonicity on A^^, the monotonicity of the projection operations 
and the definition of C on A°°. 
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What remains to be proved is that least upper bounds of directed sets are 
preserved by the operations. We will show how the proof goes for the post- 
conditional composition operations. The proofs for the other kinds of oper- 
ations go similarly. Let P,Q Q A°° be directed sets. Then, for all n € N, 

{-^niv) b e P}, {iTniq) I g G <9}, {T^niv) <a\> 7r„(g) | p e P a g e Q} C A„ are 
directed sets by the monotonicity of 7r„. Moreover, it is easily proved by induction 
on n, using the definition of C on that these directed sets are finite. This im- 
plies that they have maximal elements. From this, it follows by the monotonicity 
of _ < a > . that, for all n e N, {UMp) | P e P}) < a > {UMo) I 9 S Q}) = 
|J{7r„(p) < a > 7r„((7) | p S P A g € Q}. Prom this, it follows by the property of 
lubs of directed sots stated in Theorem 13 and the definition of 7r„4-i that, for all 
n G N, 7r„+i((|JP) <a>(|jQ)) = 7r„+i(|J{p < a > 9 | p £ PAg e Q}). Because 
M{UP)^a\>{UQ)) = D = 7ro(U{p<a>g | p G PAg G Q}), also for all n G N, 
'rn((U^)^o>(UQ)) =7r„(U{p<a>g |pG P/\q G Q}). From this, it follows by 
the definition of C on that {\_\P)<a\>{\_\Q) = \_\{p<a\>q \ p G PAg G Q}. 

□ 

We have the following result about fixed points. 

Theorem 15. Let x be a variable, and let t be a term over the signature of 
TCmd which no other variables than x have free occurrences. Then has a 
least fixed point with respect to Q, i.e. there exists ap G A°° such that [t]^{p) = p 
and, for all q G A°°, ltY{q) = q implies pQq. 

Proof. We have from Theorem 13 that {A°° , C) is a cpo and, using Theorem 14, 
it is easily proved by induction on the structure of t that \t\^ is continuous. From 
this, we conclude by Tarski's fixed point theorem that \t\^ has a least fixed point 
with respect to C. □ 

Hence, every recursion equation in which no recursion operator occurs has a 
least solution in the projective limit model for TCmd- 

According to Tarski's fixed point theorem, the least fixed point of a con- 
tinuous operation (/) : A°° A°° is |J{'?^"('-*) I ^ ^ N}. It is well-known that 
the restriction to continuous functions of the operation fixi :{A°° A°°) A°° 
defined by fixi((/)) — \_}{<p"{D) | n G N} is continuous. Moreover, for all functions 
(p:A°° A°° that are representable by a term over the signature of TCmd+R-EC, 
fix((^) = fix|(0). This brings us to the following corollary of Theorem 15. 

Corollary 2. Let x be a variable, and let t be a term over the signature of 
TCmd+R-EC in which no other variables than x have free occurrences. Then 
{t}^ has a least fixed point with respect to C. 

Hence, every recursion equation has a least solution in the projective limit model 
for TCmd+REC. 
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